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1.  SCOPE 


This  specification  establishes  the  requirements  for  complete 
identification  of  the  ESD /MITRE  Security  Kernel  Computer  Program 
Product  (SKCPP)  for  the  PDP-11/45,  henceforth  to  be  referred  to  as 
the  Security  Kernel.  The  purpose  of  the  specification  is  to  pre- 
sent the  information  necessary  to  understand  the  Security  Kernel 
for  use,  either  for  further  investigation,  or  for  implementation  in 
a similar  hardware  environment. 

The  Security  Kernel  is  the  software,  when  Installed  and  running 
properly  on  the  PDP-11/45  hardware,  that  provides  the  facilities  to 
control  access  of  active  system  elements  (subjects)  to  units  of 
information  (objects)  within  the  computer  system,  thus  providing 
the  basis  for  secure  computer  systems  on  the  PDP-11/45. 
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2.  REFERENCED  DOCUMENTS 


The  following  documents,  of  exact  issue  shown,  form  a part  of 
this  specification  to  the  extent  specified  herein.  In  the  event  of 
conflict  between  the  documents  referenced  herein  and  the  contents  of 
this  specification,  the  contents  of  this  specification  shall  be 
considered  a superseding  requirement. 

2 . 1 Government  Documents 


a.  Bell,  D.  E. , L.  J.  LaPadula,  "Secure  Computer  Systems", 
ESD-TR-73-278 , Volumes  I,  II,  III,  November  1973  - 
April  1974  (AD770768,  AD771543,  AD780528) . 

b.  DoD  5200.1,  DoD  Information  Security  Program,  June  1972. 

c.  DoD  5200. 1“R,  Regulations  Governing  the  Classification, 
Downgrading,  Declassification  and  Safeguarding  of  Classi- 
fied Information,  November  1973. 

d.  Schiller,  W.  L. , "Design  and  Specification  of  a Secure 
Kernel  for  the  PDP-11/45",  ESD-TR- 75-69 , May  1975 
(ADA011712) . 

e.  Stork,  D.  F. , "Downgrading  in  a Secure  Multilevel  Computer 
System:  The  Formulary  Concept",  ESD-TR-75-62 , May  1975 
(ADA011696)  . 

2.2  Non-Government  Documents 


a.  Clark,  B.  L. , F.  J.  B.  Ham,  "The  Project  SUE  System 
Language  Reference  Manual" , Computer  Systems  Research 
Group,  University  of  Toronto,  September  1974. 

b.  KTll-C  Memory  Management  Unit  Maintenance  Manual,  Digital 
Equipment  Corporation , Maynard , MA. , 1973 . 

c.  PAL-llR  Assembler,  Digital  Equipment  Corporation,  Maynard, 
MA. , 1973. 

d.  Parnas,  D.  L. , "A  Technique  for  Software  Module  Specifica- 
tion with  Examples",  Communications  of  the  ACM,  Volume  15, 
No.  5,  330-336,  May  1972. 

e.  PDP-11  Peripherals  Handbook,  Digital  Equipment  Corporation, 
Maynard,  MA. , 1973. 
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f.  PDP-11/45  Processor  Handbook,  Digital  Equipment  Corpora- 
tion, Maynard,  MA. , 1973. 

g.  User's  Manual  for  Delta  5000  Family  of  Video  Display 
Terminals,  Delta  Data  Systems,  Cornwells  Heights,  PA., 
August  1974. 
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3.  REQUIREMENTS 


The  Security  Kernel  as  described  in  this  specification  operates 
on  a Digital  Equipment  Corporation  PDP~ll/45  with  memory  management 
unit  with  128K  bytes  of  core  (reference  2.2bj  e,  and  f)  and  a mass 
storage  device  in  the  form  of  an  RFll  disk  with  512K  bytes  available. 
The  other  peripherals  associated  with  this  PDP-11/45  are  two  Delta 
Data  Systems  Delta  5000  scopes  (reference  2.2g),  an  ASR-33  teletype 
and  a Digital  Equipment  Corporation  DECwriter  (reference  2.2e). 

Only  minor  modifications  to  the  Security  Kernel's  code  would  be 
required  to  add,  delete,  or  change  the  peripherals.  The  aforemen- 
tioned storage,  however,  is  considered  to  be  the  minimal  require- 
ment for  effective  execution. 

The  output  medium  used  for  transfer  of  the  load  module  from  the 
IBM  360  environment,  where  the  Project  SUE  System  and  the  PDP-11 
Cross  Assembler  both  execute,  to  the  PDP-11/45  is  a 9 track  magnetic 
tape.  The  Digital  Equipment  Corporation  TMll  magnetic  tape  system 
(reference  2.2e)  is  used  to  load  the  9 track  magnetic  tape  into  the 
PDP-11/45. 

A reference  monitor  is  fundamental  to  a secure  computer  system. 
The  reference  monitor  is  that  portion  of  a computer's  hardware  and 
software  which  enforces  the  authorized  access  relationships  between 
subjects  and  objects.  Subjects  are  entities  such  as  a user  or  a 
process  that  seek  to  gain  access  to  objects,  while  objects  are 
entities  such  as  data,  programs,  and  peripheral  devices  to  which 
access  must  be  gained  in  the  course  of  the  system's  use.  The  RFll 
disk  is  the  only  DMA  (direct  memory  access)  device  the  Security 
Kernel  handles.  It  has  complete  control  over  what  is  x^itten  and 
XAjhat  is  read  since  it  has  sole  write  access  to  the  disk  status 
register,  which  contains  disk  address,  memory  address,  mode,  and 
woid  count. 

The  memory  management  unit  (MHU)  option  of  the  PDP-11/45  pro- 
vides the  hardware  facilities  that  make  it  a suitable  base  for  a 
secure  system.  The  MMU  checks  all  references  to  memory  and  supports 
enforcement  of  three  access  modes  — read/write,  read,  and  no  access 
protection.  It  also  provides  a hierarchy  of  three  domains  (or 
modes)  of  execution  — kernel,  supervisor,  and  user.  The  hardware 
affects  the  hierarchical  ordering  of  domains  by  permitting  the 
execution  of  certain  machine  instructions  in  the  kernel  domain  only, 
and  restricting  the  manner  in  which  the  instructions  which  pass  con- 
trol from  domain  to  domain  operate.  The  MMU  performs  dynamic 
address  translation;  each  time  an  effective  address  is  generated 
during  instruction  execution,  it  is  treated  as  a 16-bit  virtual 
address  and  translated  into  an  18-bit  physical  address  before 
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reference  to  main  memory  is  made.  Figure  1 portrays  the  dynamic 
address  translation  performed  by  the  MMU.  The  translation  is  con- 
trolled by  the  contents  of  a set  of  eight  segmentation  registers, 
one  set  for  each  domain  of  execution. 

The  Security  Kernel  is  the  software  portion  of  the  reference 
monitor,  the  control  and  certification  of  which  is  essential  to 
achieve  a basic  security  module.  It  protects  itself  by  insuring 
that  its  own  procedures  are  the  only  ones  that  execute  in  kernel 
mode,  and  by  executing  interpretively  all  attempts  to  access  the 
Security  Kernel  data  base  that  originate  with  processes  executing 
outside  the  kernel. 

Interpretive  execution,  within  the  kernel,  of  access  attempts 
permits  objects  accessed  in  the  kernel  domain  to  be  portions  of 
segments,  whereas  a directly  accessed  object  outside  the  kernel 
must  be  coextensive  with  a single  segment  (reference  2. Id);  a seg- 
ment is  described  as  a collection  of  from  64  to  8194  bytes  of  con- 
tiguous virtual  memory,  which  is  uniquely  identified,  and  which  may 
be  inserted  into  an  appropriately  sized  and  protected  region  of 
main  memory. 

The  identification  of  a subject  recognized  by  the  Security 
Kernel  is  an  ordered  pair,  whose  components  are  a process  and  a 
domain.  A process,  in  turn,  is  identified  by  the  kernel  as  operat- 
ing on  behalf  of  a user/project  pair.  Information  that  describes 
processes  is  contained  in  data  structures  that  are  accessed  in  the 
kernel  domain. 

The  Security  Kernel  software,  operating  in  the  PDP-11/45  with 
provides  a non-random  access,  segmented  virtual  memory.  The 
segmented  virtual  memory  is  organized  into  a tree-like  directory 
hierarchy.  The  set  of  all  segments  in  the  hierarchy  is  the  system 
space  (SS)  . By  virtue  of  security  attributes  and  a security  policy, 
most  users  of  the  system  will  not  be  able  to  access  all  of  the  seg- 
ments in  SS.  The  subset  that  a particular  user  may  access  is 
called  a virtual  space  (VS) . When  a user  process  starts  execution 
in  a system  that  incorporates  the  Security  Kernel,  it  has  a virtual 
machine  executing  on  its  behalf.  This  process  will  have  an  address 
space  of  segments  constrained  in  size  by  certain  design  and  imple- 
mentation parameters.  The  process’s  address  space  is  called  the 
working  space  (WS)  , and  is  always  a subset  of  the  user's  VS. 

Finally,  to  permit  a process  direct  access  to  all  segments  in  its 
WS  would  severely  constrain  the  size  of  the  WS  (to  the  number  of 
descriptors  available).  For  that  reason  another  space,  access 
space  (AS),  is  added.  AS,  a subset  of  WS , represents  the  segments 
that  a process  can  directly  address  because  it  has  descriptors 
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Figure  1.  Dynamic  Address  Translation 
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available.  A process,  therefore,  may  frequently  remove  a segment 
from  AS  to  make  room  for  another,  without  necessarily  removing  the 
segment  from  WS . Figure  2 shows  these  space  relationships. 

3 . 1 Functional  Allocation  Description 

a.  Control  Entry  and  Exit  functions  accept  and  check  para- 
meters furnished  by  the  user. 

b.  Directory  Manipulation  functions  change  the  security  state 
of  the  system  by  creating  or  deleting  segments,  and  by 
adding  or  deleting  elements  in  a segment’s  control  list. 

c.  Segment  Accessing  functions  move  segments  into  and  out  of 
a process’s  working  space, 

d.  Process  Cooperation  functions  allow  the  sequential 
processes  that  coexist  in  the  physical  computer  system 
to  cooperate  in  performing  computations. 

e.  Process  Control  functions  select  a particular  process  to 
which  the  CPU  will  be  allocated,  while  saving  information 
pertaining  to  other  processes . 

f.  Privileged  functions  establish  certain  system  conditions, 
and  may  only  be  invoked  by  trusted  subjects. 

Of  the  forty- two  CPC’s,  eighteen  are  externally  callable,  that 
is,  they  are  called  by  a process  operating  outside  the  perimeter  of 
the  Security  Kernel  (external  to  the  kernel  domain) . These  com- 
ponents are  accessed  by  way  of  kernel  commands,  which  include  the 
symbolic  name  of  the  function  along  with  the  appropriate  arguments. 

The  externally  callable  functions  are  listed  below  according  to 
their  functional  uses. 

Directory  Manipulation 

. create 
. delete 
. give 
. rescind 
. read  directory 

Segment  Accessing 

. get  write 
. get  read 
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. release 
. enable 
. disable 
. outer  P 
. outer  V 

. send  interprocess  coininunication 
. receive  interprocess  communication 

Process  Control 

. stop  process 

Privileged 

. start  process 
. change  object 
. initialize  hierarchy 

The  remaining  twenty-four  CPC’s  are  called  once  the  kernel 
domain  has  been  entered  (internal  to  the  kernel  domain) . They  are 
called  either  directly  or  indirectly  by  the  externally  callable 
components  and  are  invisible  outside  the  Security  Kernel. 

The  internally  callable  functions  are  listed  below  according 
to  their  functional  uses. 

Control  Entry  and  Exit 
. gate 

. parameter  checker 

Directory  Manipulation 

. delete  segment 
. disk  allocation 
. free  disk 

. search  out  and  destroy  descriptors 
. get  directory 
. write  directory 

Segments  Accessing 

. directory  search 
. connect 
. activate 
. deactivate 
. prehash 
. hash 

. load  segment  descriptors 
. swapin 
. swapout 
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. initialize  segment 
. disk  input /output 

Process  Cooperation 

. P 
. V 

Process  Control 

• sleep 
. run 

• swap 

The  kernel  function  gate  (GATE)  is  the  sole  entry  and  exit 
point  into  and  out  of  the  kernel  domain.  When  a user  process  re- 
quests an  externally  callable  user  level  function,  a trap  is  gen- 
erated (reference  2.2f)  and  as  a result  of  this  trap  GATE  is 
entered.  Upon  entry,  the  supervisor’s  stack  is  accessed  for  para- 
meter passing.  The  parameter  checker  (PCHECK)  is  then  invoked  by 
GATE  and  the  parameters  associated  with  the  user  requested  function 
are  checked  to  assure  that  they  are  within  the  acceptable  ranges. 

If  all  parameters  are  within  bounds  PCHECK  invokes  the  user  re- 
quested function.  Once  the  user  requested  function  has  performed 
its  task,  the  return  code  (RC)  is  passed  through  PCHECK  to  GATE. 

GATE  accesses  the  supervisor’s  stack,  places  the  RC  on  the  super- 
visor’s stack  and  the  kernel  domain  is  exited.  The  only  access 
route  through  the  security  perimeter  into  kernel  domain  is  through 
GATE,  which  is  also  the  only  exit  route. 

The  Security  Kernel  supports  five  processes  which  operate  on 
behalf  of  the  user  (see  Section  3.).  The  interrupt  handlers  for 
these  I/O  devices  are  handled  within  GATE.  It  saves  the  contents 
of  the  current  process  ’ s registers ; the  PC  (program  counter)  and 
PSW  (process  status  word)  (reference  2.2f)  of  the  interrupt  vector 
become  the  new  process  PC  and  PSW.  The  new  current  process  is  made 
available  for  servicing  by  a call  to  V which  increments  the  sema- 
phore on  this  process  ’ s I/O  segment.  The  general  purpose  registers, 
the  PC,  and  the  PSW  are  restored  to  what  they  contained  before  the 
interrupt.  For  a more  detailed  description  of  GATE  refer  to  para- 
graph 3.2.1. 

The  following  subparagraphs  provide  more  detail  on  the  Security 
Kernel  computer  program  components,  the  functional  areas  in  which 
they  fall,  their  symbolic  code,  and  the  major  function  they  perform. 
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To  avoid  confusion  an  explanation  of  the  release  function  is  in 
order  here.  The  symbolic  code  of  the  release  function  changes  once 
the  kernel  domain  has  been  entered.  Externally  (outside  kernel  domain) 
the  function  is  known  as  PHLEASE  to  match  the  mathematical  model 
(reference  2.1a).  Internally  (inside  kernel  domain)  the  function  is 
known  as  DCONNECT,  as  it  is  the  inverse  of  the  function  CONNECT. 

3.1.1  Entering  and  Exiting  Kernel  Domain 

Two  functions  are  provided  to  accept  and  check  parameters 
furnished  by  the  user.  These  functions  are  always  invoked  when  an 
external  call  is  made  to  the  Security  Kernel  or  upon  exiting  from 
kernel  domain. 

3.1.1. 1 Accepting  and  Checking  Parameters 

3. 1.1. 1.1  Internal  Functions 

Gate  GATE  the  entry  and  exit  point  into 

and  out  of  the  kernel. 

Parameter  Checker  PCHECK  assures  that  all  user  input 

parameters  are  within  bounds. 


3.1.2  Directory  Manipulation  Functions 

A set  of  functions  is  provided  for  manipulating  the  attributes 
of  segments.  These  functions  change  the  security  state  of  the  system 
by  creating  and  deleting  segments,  and  by  adding  and  deleting  elements 
to/from  a segment’s  access  control  list  (ACL).  The  common  security 
requirement  for  all  functions  that  modify  segment  attributes  is  that 
the  modifying  process  currently  have  write  access  to  the  segment’s 
parent  directory. 

3. 1.2.1  Creating  and  Deleting  Segments 

3. 1.2. 1.1  External  Functions 

Create  CREATE  creates  a segment  inferior  to 

a specified  directory  segment. 

Delete  DELETE  deletes  an  existing  segment 

and  any  segments  subordinate 
to  it. 
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3.1. 2, 1.2  Internal  Functions 


Delete  Segment 

DELETSEG 

deletes  an  empty  directory  or 
a data  segment. 

Disk  Allocation  DALLOC 

allocates  space  on  the  disk  as 
segments  are  created. 

Free  Disk 

DFREE 

frees  space  on  the  disk  as 
segments  are  deleted. 

3 . 1 . 2 . 2 Giving  and 

Rescinding  Access 

3. 1. 2. 2 , 1 External 

Functions 

Give 

GIVE 

adds  an  ACL  element  to  a seg- 
ment's ACL  chain. 

Rescind 

RESCIND 

removes  an  ACL  element  from 
a segment *s  ACL  chain. 

3. 1.2. 3 Directory  Support  Functions 

3. 1. 2. 3. 1 Internal 

Functions 

Search  Out  and 

Destroy 

Descriptors 

SOADD 

removes  a segment  from  the 
address  space  of  all  pro- 
cesses that  currently  have 
access  to  that  segment. 

3. 1.2. 4 Reading  Directories 

3 . 1 . 2 . 4 . 1 External 

Functions 

Read  Directory 

READIR 

provides  interpretive  read 
access  to  an  object  that  is 
in  a process’  address  space. 

3. 1.2. 5 Directory  Checking 

3. 1. 2. 5. 1 Internal 

Functions 

Get  Directory 

GETDIR 

assures  that  a directory  seg- 

ment  to  be  written  is  in  main 
memory  and  accessible. 
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Write  Directory  WRITEDIR 


checks  that  a segment  is  a 
directory  and  if  so,  that 
the  current  process  has 
write  access  to  it. 


3.1.3  Segment  Accessing 

There  are  functions  provided  for  moving  segments  into  and  out 
of  a process’s  working  space  (WS)  and  functions  that  support  the 
implementation  of  access  space  (AS) . The  function  that  changes  a 
process’s  WS  changes  the  state  of  the  system  with  respect  to  5.'ecurity, 
whereas  the  functions  that  change  AS  are  only  changing  the  representa- 
tion of  the  current  security  state.  A process  can  directly  address 
only  those  segments  in  its  WS  that  are  also  in  its  AS  because  of 
hardware  segmentation  register  constraints.  X^S  is  defined,  for 
security  purposes,  to  be  the  address  space  of  a process. 


3. 1.3.1  Getting  and  Releasing  Access 


3. 1.3. 1.1  External 

Functions 

Get  Write 

GETW 

moves  a segment  into  a process’s 

WS  in  write  mode  if  all  require- 
ments are  satisfied. 

Get  Read 

GETR 

moves  a segment  into  a process’s 
WS  in  read  mode  if  all  require- 
ments are  satisfied. 

Release 

DCOMECT 

removes  a segment  from  a process’s 
WS  (known  externally  as  RELEASE, 
internally  as  DCONNECT). 

3. 1. 3. 1. 2 Internal 

Functions 

Directory  Search  DSEARCH 

searches  an  ACL  chain  looking 

for  an  ACL  element  that  applies 
to  the  invoking  process. 

3. 1.3. 2 WS  Support  Functions 

3 . 1 . 3 . 2 . 1 Internal 

Functions 

Connect 

CONNECT 

connects  a process  to  a segment 

in  its  WS. 
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Activate 


ACT 


copies  the  directory  entry  into 
an  ASTE  (active  segment  table 
entry)  and  initializes  other 
fields  in  the  ASTE. 


Deactivate 


Prehash 


DEACT 


PREHASH 


removes  a segment  from  the  AST 
(Active  Segment  Table), 

computes  an  index  into  the  hash 
table . 


Hash 


HASH 


converts  a disk  address  (which 
uniquely  identifies  a segment) 
to  an  ASTE#,  using  a hash  table. 


3 . 1 . 3 . 3 . 1 External 

Functions 

Enable 

ENABLE 

moves  a segment  in  a process’s 
WS  into  its  AS. 

Disable 

DISABLE 

removes  a segment  from  a pro- 
cess’s AS  and  frees  a segmenta- 
tion register. 

3. 1. 3 . 3 . 2 Internal 

Functions 

Load  Segment 
Descriptor 

LSD 

constructs  segment  descriptors 
and  inserts  them  into  descrip- 
tor registers. 

3. 1.3. 4 AS  Support 

Functions 

3. 1. 3. 4. 1 Internal 

Functions 

Swap  In 

SWAP IN 

swaps  a segment  into  main 
memory . 

Swap  Out 

SWAP OUT 

removes  a segment  from  main 
memory . 

Initialize  Seg- 

INITSEG 

initializes  a segment  in 

ment 

memory . 

Disk  Input/Output 

DISKIO 

performs  a disk  I/O  operation. 
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3.1.4  Process  Cooperation 


Mechanisms  are  provided  to  allow  the  sequential  processes  that 
coexist  in  the  physical  computer  system  to  cooperate  in  performing 
computations.  These  mechanisms  are  used  within  the  Security  Kernel 
to  insure  its  correct  operation.  The  Security  Kernel  provides 
functions  that  allow  these  mechanisms  to  be  used  in  an  arbitrary 
manner  subject  only  to  security  constraints.  These  functions  do  not 
change  the  security  states  of  the  system.  They  provide  interpretive 
access  to  objects  as  permitted  by  the  current  state,  and  since  they 
can  cause  the  execution  state  of  a process  to  change,  they  modify 
the  representation  of  the  current  state. 


3. 1.4.1  Synchronization  Primitives 


3. 1.4. 1.1 

External 

Functions 

Outer 

P 

OUTERP 

Outer 

V 

OUTERV 

3. 1.4. 1.2 

Internal 

Functions 

P and 

V 

P and  V 

3. 1.4.2  Interprocess  Communication 

3. 1.4. 2.1 

External 

Functions 

Send  Interprocess  IPCSEND 
Communication 


Receive  Inter-  IPCRCV 

process 

Communication 


when  a P or  V is  performed 
externally, OUTERP  and  OUTERV 
perform  implementation  and 
security  checks. 


allows  users  to  coordinate  the 
modification  of  shared  seg- 
ments and  to  synchronize  with 
their  terminal  I/O. 

P and  V are  the  standard 
synchronization  primitives. 


allocates  an  IPC  element,  fills 
it  in  and  adds  it  to  the  queue 
of  elements  waiting  to  be 
received. 

removes  the  data  from  an  IPC 
element  and  puts  the  element 
on  the  free  chain. 
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3.1.5  Process  Control 


A set  of  functions  are  provided  for  selecting  a particular 
process  to  run,  and  for  preparing  and  saving  information  pertaining 
to  the  process  that  currently  has  the  CPU  allocated  to  it  and  the 
next  ready  process. 


3. 1.5.1  Creating  and  Deleting  Processes 


3. 1.5. 1.1  External  Functions 

Stop  Process  STOPP 

3. 1.5. 1.2  Internal  Functions 

Sleep  SLEEP 

Run  RUN 

Swap  SWAP 


3.1.6  Privileged  Functions 


relinquishes  a user's  owner- 
ship of  a process. 


schedules  another  process,  in 
a round  robin  fashion. 

saves  information  on  the 
current  process  and  prepares 
to  run  the  next  process. 

establishes  the  next  process 's 
address^  space. 


Three  kernel  functions  are  invoked  by  the  executive  process 

only. 


3. 1.6.1  Trustworthy  Process  Functions 


3. 1.6. 1.1  External  Functions 

Change  Object  CHANGED 

Initialize  INITH 

Hierarchy 


performs  a change  in  classifi- 
cation of  a non-directory 
segment . 

sets  up  the  initial  directory 
structure  at  initialization 
time . 
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Start  Process 


STARTP 


initializes  a nex7  process. 


3. 2 Functional  Description 

This  paragraph  contains  the  detailed  technical  descriptions  of 
the  computer  program  components  identified  in  paragraph  3.1  of  this 
specification.  The  instruction  listing  contained  in  Section  10 
specifies  the  exact  configuration  of  the  Security  Kernel. 

Most  of  the  computer  program  components  of  the  Security  Kernel 
are  written  in  Project  SUE  System  Language  (reference  2.2a). 

DALLOC,  DFREE,  DISKIO,  LSD,  and  SWAP,  which  deal  exclusively  with 
disk  space  and  hardware  registers,  are  written  in  PAL-11,  the 
PDP-11/45  assembler  language  (reference  2.2c). 

The  SUE  language  facilitates  highly  readable  structured  programs 
and  data.  One  of  its  features  is  a macro  facility  which  permits  text 
substitution  with  parameters,  but  no  compile- time  computation.  That 
is,  the  macro  name  is  textually  replaced  by  its  macro  body  at  compile 
time,  thus  eliminating  repetitive  coding  and  branching.  One  of  the 
ways  the  Security  Kernel  makes  use  of  this  feature  is  in  producing 
a more  efficient  and  more  exact  calling  sequence. 

Each  externally  callable  function  has  associated  with  it  a macro 
whose  name  begins  with  ’K’J  e.g.,  KCREATE  is  the  macro  associated 
with  the  CREATE  function.  These  macros  are  located  in  the  Context 
Block  (reference  2.2a)  NOFORN  (Section  10,  pages  2 through  10)  which 
contains  definitions  relevant  to  all  kernel  users  but  is  external 
to  the  security  perimeter  of  the  Security  Kernel.  The  effect  of 
these  macros  is  to  generate  code  which  will  place  the  parameters  of 
the  requested  function  on  the  supervisor’s  stack  and  force  an 
interrupt.  As  a result  of  the  interrupt  a branch  into  the  kernel 
domain  is  effected.  An  example  of  the  calling  sequence  is  as 
follows . 

A user  process  requests  the  externally  callable  function  CREATE 
by  using  the  Kernel  Command  CREATE  along  with  its  appropriate  para- 
meters. The  macro  KCREATE  generates  code  which  places  the  input 
parameters  on  the  supervisor’s  segmentation  register  0 stack  and 
forces  an  interrupt.  As  a result  of  this  interrupt  a branch  into 
GATE  is  effected.  GATE  accesses  the  supervisor’s  stack  through 
kernel  segmentation  register  3 (KSR3) . The  parameters,  which  are 
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now  residing  in  KSR3,  are  passed  to  PCHECK  for  checking.  If  at  this 
point  the  parameters  are  within  the  acceptable  ranges,  PCHECK  in- 
vokes the  CREATE  function. 

Many  of  the  kernel  functions  set  the  value  of  a per  process 
return  code  (RC) . The  security  attributes  of  the  RC  object  are 
equal  to  those  of  the  process.  In  general,  Security  Kernel  functions 
set  RC  to  indicate  whether  or  not  they  were  called  correctly.  A 
few  functions  use  RC  to  return  additional  information  to  the  user. 
Each  process  can  always  observe  its  own  and  only  its  own  RC  object. 
Once  the  called  function  has  performed  its  task,  it  passes  the  RC 
through  PCHECK  to  GATE.  GATE  then  performs  the  inverse  of  its  entry 
sequence,  that  is,  it  gains  write  access  to  the  supervisor's  stack 
through  KSR3  and  places  the  RC  on  it . 

Another  feature  of  the  Project  SUE  System  Language  (reference 
2.2a)  is  the  use  of  Inline.  Inline  inserts  arbitrary  machine  code 
inline  at  compile  time.  The  parameters  are  quantities  that  cause 
code  to  be  placed  in  the  machine  instruction  format. 

Figure  3 shows  the  intended  interpretation  of  the  external 
kernel  function  parameters  and  internal  kernel  variables.  TCP  (the 
current  process)  is  an  internal  Security  Kernel  variable  that  indi- 
cates which  process  is  currently  bound  to  the  CPU.  It  is  part  of 
the  mechanism  for  implementing  a distributed  kernel  and  prevents 
users  of  the  Security  Kernel  from  forging  their  identity. 

The  individual  CPC's  are  described  in  the  following  3.2  sub- 
paragraphs.  Figure  3a  identifies  the  form  in  which  each  CPC  is 
presented. 
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External  Security  Kernel  function  parameters 


seg# 

segment  number  of  a segment  in  a process’s 
address  space  (WS) 

offset 

identification  of  an  entry  within  a 
directory 

class 

a classification 

cat 

a category  set 

type 

DATA  or  DIRECTORY 

size 

size  of  a segment  in  blocks 

mode 

WRITE,  READ,  or  NO 

user__id 

user  identification 

project__id 

project  identification 

reg# 

identification  of  a segmentation  register 

process# 

identification  of  a process 

block# 

main  memory  address  of  a segment 

Internal  Security  Kerne],  "variables" 


TCP 

the  current  process 

aste# 

pointer  to  an  AST  entry 

daste# 

aste#  for  a segment  known  to  be  a directory 

acl6# 

pointer  to  an  ACL  element 

smfr# 

pointer  to  a semaphore 

ipce# 

pointer  to  an  IPC  element 

Figure  3 * Intended  Interpretations 
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3.2.n  CPC  Title  (symbolic  code) 


Identification  of  the  level  of  the  SKCPP  function,  the 
level  of  functions  that  call  it,  the  level  of  functions  that 
it  calls  and  the  language  in  which  it  is  written. 

3.2. n.l  Description 

A description  of  the  internal  requirements  of  the  CPC.  A 
formal  specification  is  also  presented. 

3.2. n.2  Flow  Charts 

Flow  charts  are  presented  for  the  PAL-11  CPCs  exclusively 
as  it  is  felt  that  the  highly  readable  structure  of  the  SUE 
language  makes  flow  charting  of  those  CPCs  redundant . 

3.2. n.3  Interfaces 

The  relationships  of  the  CPCs  to  each  other  are  presented 
here  by  listing  those  CPCs  that  call  and  those  CPCs  called 
by  this  specific  CPC. 

3.2.n.4  Data  Organization 

The  relationships  of  the  CPC  to  the  data  base  structures 
are  presented  here.  Global  references,  function  parameters 
local  references,  and  constants  are  listed. 

3.2. n.5  Limitations 

Any  known  limitations  of  the  CPC  are  presented  here. 

3.2.n.6  Listing 

A complete  listing  of  the  Security  Kernel  is  provided  in 
Section  10 ; however,  this  subparagraph  includes  the  DATA 
BLOCK  and  PROGRAM  BLOCK  of  the  specific  CPC. 


Figure  3a.  CPC  Write-Up  Form 
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3.2.1  Gate  (GATE) 


The  Gate  CPC,  GATE,  is  a kernel  level  internal  SKCPP  function 
that  is  invoked  as  the  result  of  a user  level  program  requesting  an 
externally  callable  Security  Kernel  function.  This  CPC  is  unique  as 
it  is  the  sole  entry  and  exit  point  into  and  out  of  the  domain  of  the 
Security  Kernel,  that  is,  an  externally  callable  function  can  only  be 
reached  through  GATE  and  all  return  codes  (if  applicable)  are  passed 
to  the  user  through  GATE.  GATE  directly  calls  the  kernel  level  in- 
ternal function  PCHECK,  which  in  turn,  directly  calls  the  user  re- 
quested function.  The  other  function  that  GATE  calls  is  the  kernel 
level  internal  function  V.  It  is  written  in  Project  SUE  Language, 

3. 2. 1.1  Description 

GATE  provides  the  only  entry  and  exit  point  to  and  from  the 
Security  Kernel.  It  performs  the  KERNEL_ENTRY  macro  which  pushes 
the  supervisor’s  stack  and  registers  onto  the  kernel’s  stack.  If 
the  logical  and  of  PSW  and  PREV_MODE_MASK  does  not  equal  PREV_MODE__ 
SUPERV,  the  call  was  not  made  from  supervisor  mode  and  GATE  ignores 
it.  Otherwise,  the  kernel  must  access  the  supervisor’s  stack 
through  KSR3  to  get  its  parameters,  so  it  assigns  to  KSDR3  and  KSAR3 
the  values  of  SDR0  and  SAR0.  GATE  then  calls  PCHECK  to  check  the 
parameters  and  to  call  the  function  requested,  and  sets  RC  to  the 
value  PCHECK  returns.  It  then  assigns  to  KSR3  and  KRC  the  values  of 
SR0  and  RC,  regaining  access  to  the  supervisor’s  stack  and  inserting 
the  return  code.  GATE  then  invokes  the  KERNEL_EXIT  macro  to  restore 
supervisor  registers  R0  to  R6  from  its  stack  and  return.  GATE 
handles  interrupts  by  invoking  KERNEL  ENTRY  to  save  the  contents  of 
the  current  process’s  registers;  the  PS  and  PSW  of  the  Interrupt 
vector  become  the  new  process’s  PC  and  PSW.  GATE  calls  V to  incre- 
ment the  semaphore  on  the  new  current  process,  so  it  can  be  serviced. 
KERNEL_EXIT  is  then  invoked,  restoring  the  general  purpose  registers, 
the  PC,  and  the  PSW  with  what  they  contained  before  the  interrupt. 

Function:  GATE 

Parameters  : GATE(function_code  ,seg// , offset , class  , cat , type , 
size , mode , user__id  ,pro  j ect__id , reg# , process# , 
block#) 

Effect: 

IF  PSW  & PREV_MODE_MASK  = PREVJ10DE__SUPERV ; 

THEN:  PCHECK(f unction_code , seg# , offset , class , cat , type , size , 

mode , user^id, proj ect__id , reg# , process# , block#)  ; 

END; 
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3. 2. 1.2  N/A 

3. 2. 1.3  Interfaces 


As  a direct  result  of  a user  level  external  program  requesting 
an  externally  callable  Security  Kernel  function,  the  macro  associated 
with  the  requested  function  is  invoked.  The  macro  generates  code 
which  places  the  user  entered  parameters  on  the  supervisor’s  stack 
and  causes  an  interrupt.  As  a direct  result  of  this  interrupt, 
entry  into  the  Security  Kernel  domain  is  reached. 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

see  above  paragraph  PCHECK 

V 


3. 2. 1.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  GATE.  For  data  base  references  refer  to 
Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 


Data  Base  References 


Global  References  Functional  Parameters  Local  References 


SDR0 

SAR0 

PSW 


FUNCTION_CODE 

SEG# 

OFFSET 

CLASS 

CAT 

TYPE 

SIZE 

MODE 

USER_ID 

PROJECT_ID 

REG# 

PROCESS# 

BLOCK# 


Constants 

DECW_PROCESS# 
DISK_SMFR 
PREV  MODE  MASK 


KSDR3 

KSAR3 

RC 
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SC0PE1___PR0CESS// 

SC0PE2JPR0CESS// 

A short  discussion  of  the  two  Context  Blocks  CONTEXT  NOFORN 
and  CONTEXT  KERNEL  seems  appropriate  at  this  point.  The  Context 
Block  NOFORN  contains  definitions  relevant  to  all  kernel  users  and 
the  Security  Kernel  supportive  software.  The  Context  Block  KERNEL 
contains  definitions  of  the  Security  Kernel’s  virtual  address  space. 
These,  of  course,  reside  outside  the  security  perimeter  of  the 
Security  Kernel.  Refer  to  Section  10  for  listing  of  both  Context 
Blocks. 

DATA  GATE  contains  the  procedure  declarations  for  all  externally 
callable  functions  and  all  but  six  of  the  internally  callable  func- 
tions. Those  six,  DELETSEG,  DALLOC,  DFREE,  GETPIR,  INITSEG,  and 
SWAP,  are  called  by  only  one  function  and  are  declared  in  the  Data 
Block  of  that  function. 

3. 2. 1.5  Limitations 


Entry  into  kernel  domain  is  only  affected  if  the  call  is  made 
from  supervisor  domain.  The  return  code  (RC)  is  that  which  the  re- 
quested function  has  passed  through  PCHECK. 

3. 2. 1.6  Listing 


DMA  GATE; 

/♦  MUST  CHECK  INITIALIZATION  OP  INTERRUPT  VECTORS  IN  STARTUP  EVERY  TIME  A 


* CHANGE  IS  MADE  TO 

MACRO  KERNEL^ENTRY; 
INLINE (MFPIR6) ; 

1 GATE 

(DATA  OR  PROGRAM) 

INLINE  (MOV,  0, 

5, 

6)  ; 

INLINE(MOV,  0, 

6); 

INLINE(MOV,  0, 

3, 

6) ; 

INLINE  (MOV , 0, 

2, 

6)  ; 

INLINK(MOV,  0, 

1r 

6) ; 

INLINE  (MOV,  0, 

0, 

4, 

6) ; 

INLINE  (MOV  , 0, 

6, 

0, 

4)  ; 

INLINE  (MOV,  0, 

6, 

0, 

■>) ; 

INLINE  (MOV,  2, 

1, 

4, 

6,  '’800A'*)  ; 

INLINE  (SUB,  2, 
END  MACRO; 

7, 

0, 

6,  4) 

MACRO  KERNEL  FiCIT; 

TNLINE(ADD,  2, 

7, 

0, 

6,  6); 

INLINE  (MOV,  2, 

6, 

0, 

0)  ; 

INLINE  (MOV,  2, 

6, 

0, 

1)  ; 

INLINE(MOV,  2, 

0, 

2)  ; 

INLINE(MOV,  2, 

0, 

3) ; 

TNLTNF(MOV,  2, 

e. 

0, 

4)  ; 

INLINE(MOV,  2, 
INLINE(MTPIRfi)  ; 
INLINE  (RTI) 

END  MACRO; 

6, 

0, 

5)  ; 
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DECLARE 

WORD  (RC)  ; 


/♦ 


EXTERNEL  KERNEL  FUNCTIONS 


DECLARE 

PROCEDURE 
PROCEDURE 
PROCEDURE 
PROCEDURE 
PROCEDURE 
PROCEDURE 
PROCEDURE 
READI 
PROCEDURE 
PROCEDUR  E 
PROCEDURE 
PROCEDURE 
START 


(STOP?)  , 

ACCEPTS 

ACCEPTS 

ACCEPTS 

RETURNS 

ACCEPTS 

ACCEPTS 

P)  r 

ACCEPTS 

ACCEPTS 

ACCEPTS 

ACCEPTS 

P) ; 


(WORD)  (DISABLE)  , 

(WORD,  WORD)  (DCONNECT), 

(WORD,  WORD,  WORD)  (IPCSEND)  , 

(WORD)  (IPCRCV)  , 

(WORD)  RETURNS  (WORD)  (OUTERP,  OUTERV)  , 

(WORD,  WORD)  RETURNS  (WORD)  (DELETE,  GETW,  GETR,  ENABLE, 
(WORD,  WORD,  WORD)  RETURNS  (WORD)  (INITH), 

(WORD,  WORD,  WORD,  WORD)  RETURNS  (WORD)  (RESCIND,  CHANGED), 
(WORD,  WORD,  WORD,  WORD,  WORD)  RETURNS  (WORD)  (GIVE), 

(WORD,  WORD,  WORD,  WORD,  WORD,  WORD)  RETURNS  (WORD)  (CREATE, 


INTERNAL  KERNEL  FU-NCTIONS 


DECLARE 


PROCEDURE  (SLEEP)  , 

PROCEDURE  ACCEPTS  (WORD)  (DEACT,  P,  V,  SWAPIN,  SWAPOUT,  RUN), 


PROCEDURE  ACCEPTS  (WORD,  WORD)  (SOADD)  , 


PROCEDURE  ACCEPTS 


WORD,  WORD)  (LSD)  , 


(WORD, 

PROCEDURE  ACCEPTS  (WORD,  WORD,  WORD,  WORD) 
PROCEDURE  RETURNS  (WORD)  (PCHECK)  , 

(WORD) 


(DISKIO)  , 


PROCEDURE  ACCEPTS 


RETURNS  (WORD)  (WR  TTEDTR,  HASH,  PREHASH)  , 
PROCEDURE  ACCEPTS  (WORD,  WORD,  WORD)  RETURNS  (WORD)  (DSEARCH,  CONNECT)  , 
PROCEDURE  ACCEPTS  (WORD,  WORD)  RETURNS  (WORD)  (ACT); 


PROGRAM  GATE; 

/♦  PUSH  SUPERVISOR  R6  AND  R0-R5  ONTO  KERNEL'S  STACK 
KERNEL^ENTRY; 

/»  IGNORE  CALL  IF  NOT  MADE  FROM  SUPERVISOR  MODE 

IF  (PSW  R PREV_MODE__MASK)  = PREV  MODE  SUPERV; 

THEN: 


♦/ 


♦/ 


/*  ACCESS  SUPERVISOR'S  STACK  THROUGH  KSR3  ♦/ 

KSDR3  :=  SDRO; 

KSAR3  :=  SAPO; 

/♦  CALL  PARAMETER  CHECKER  - WHO  IN  TURN  CALLS  THE  REQUESTED  FUNCTION  ♦/ 

RC  :=  PCHECK; 

/♦  REGAIN  ACCESS  TO  SUPERVISOR'S  SR  0 STACK  AND  INSERT  RETURN  CODE  ♦/ 

KSDRl  :=  SDRO; 

KSAR  3 : = SARO; 

KRC  :=  RC; 


END; 

/♦ 

RESTORE  SUPERVISOR'S  REGISTERS  AND  RETURN 

♦/ 

KERN 

EL_SXIT; 

/* 

INTERRUPT  ^NTRY  POINTS 

♦ / 

/* 

DISK 

♦/ 
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KERN£L_E:NTP  Y; 
V(DISK_SMFR)  ; 

KERNE  lIfxTT; 

/*  DEC  WRITER 

KFRNBL^ENTRY; 

V (DECW^PROCESS#)  ; 
KERNEL_EXIT; 

/♦  TTY 

KERNEL^ENTRY ; 

V (TTY_PROCESSi)  ; 
KERNEL_EXIT; 

/♦  SCOPE1 

KERNEL_ENTR  Y; 
V(SCOPE1_PROCESS#)  ; 


KERNEL_EXIT; 

/♦  SCOPE2 

K^RNEL_ENTPY; 

V (SCOPE2_PROCESS#)  ; 
KESNEL^FXIT ; 


3.2.2  Parameter  Checker  (PCHECK) 

The  Parameter  Checker  CPC,  PCHECK,  is  a kernel  level  internal 
SKCPP  function  that  is  called  by  only  one  other  kernel  level  internal 
function,  GATE.  PCHECK  calls  all  of  the  user  level  external  functions 
as  well  as  other  kernel  level  internal  functions.  It  is  written  in 
Project  SUE  System  Language. 

3. 2. 2.1  Description 

PCHECK  calls  an  externally  reachable  function  if  all  input  para- 
meters are  within  acceptable  ranges  and  if  the  seg//  parameter  (if 
required)  identifies  a segment  in  the  processes  WS. 

It  checks  the  function  code:  if  FUNCTION_CODE_APARM  is  less  than 
FUNCTION_CODE_MIN  or  greater  than  FUNCTION_CODE_MAX,  PCHECK  returns 
the  SEVEREJFLAG.  Otherwise,  it  sets  FUNCTION_CODE  equal  to 
FUNCTION__CODE_APARM.  It  then  performs  a P on  the  kernel  semaphore  to 
block  the  kernel  until  after  the  function  is  performed,  preventing 
more  than  one  process  from  occupying  the  kernel  at  a time.  PARM_FLAGS 
is  assigned  FUNCTION_ARRAY(FUNCTION_CODE) , which  indicates  which 
parameters  the  function  takes,  and  RC  is  set  to  OK_FLAG. 
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If  the  seg//  parameter  is  required,  PCHECK  tests  if  the  parameter 
supplied  lies  within  the  accepted  range,  as  follows:  if  the  logical 
and  of  PAEM_FLAGS  and  SEG#_FLAG  is  not  equal  to  zero,  the  specified 
function  requires  the  seg#  parameter.  SEG#_PARM  is  set  equal  to 
SEG#_APAEM.  Then,  if  SEG#__PAEM  is  less  than  SEG#_MIN  or  greater  than 
SEG#_MAX,  RC  is  set  to  SEVERE_FLAG. 

PCHECK  also  checks  that  the  seg#  identifies  a segment  in  the 
process 'sWS  if  the  seg#  parameter  is  required.  If  RC  is  not 
SEVERE__FLAG,  ASTE#_PARM  is  assigned  the  value,  PS__SEG(SEG#_PARM)  . 

Now,  if  the  logical  and  of  ASTE#__PARM  and  SEG_FLAG  is  not  equal  to 
zero,  PS_SEG(SEG#_PARM)  held  a seg#.  Therefore,  it  must  have  been  on 
the  free  segment#  chain.  Hence,  the  segment  specified  was  not  in  the 
WS  of  the  process,  so  RC  is  set  to  zero.  Otherwise,  PS__SEG(SEG#_PARM) 
held  an  aste#  and  RC  remains  set  to  OK__FLAG, 

In  a similar  manner,  if  the  offset,  classification,  mode,  reg#, 
and  process#  parameters  are  required,  PCHECK  checks  that  the  values 
supplied  lie  within  their  acceptable  ranges.  Then,  to  CAT^PARM, 
SEG_TYPE_PARM,  SIZE_PARM,  USER_PARM,  PROJECT_PARM,  and  MESSAGE_PARM, 
it  assigns  the  respective  values  of  CATLAP  ARM,  SEG__TYPE__APARM  logical 
and  DIR_TYPEJiASK,  SIZE_APARM,  USER_APARM  logical  and  ACL_USERJiASK, 
PROJECT_APARM,  and  MESSAGE_APARM. 

If  RC  is  not  SEVERE_FLAG,  PCHECK  uses  a case  selector  to  call 
the  function  specified  by  FUNCTION__CODE  and  set  RC  to  the  value 
returned.  To  prevent  compile-time  parse  stack  overflow  due  to  an 
implementation  quirk,  the  case  selection  is  broken  up  into  two  cases, 
FUNCTION_CODE  between  1 and  9 and  FUNCTION_CODE  between  10  and  20, 
selected  by  an  IF  statement. 

PCHECK  then  calls  V to  increment  the  kernel  semaphore,  and 
returns  RC. 

There  are  two  short  functions  that  are  incorporated  into  the 
case  selector  under  their  FUNCTI0N_C0DE  tags.  They  are  the  T func- 
tion whose  FUNCTI0N_C0DE  tag  is  12  and  the  PROCID  (process  identifi- 
cation) function  whose  FUNCTI0N_C0DE  tag  is  18.  Both  have  macros, 
in  context  NOFORN,  associated  with  them. 

The  T function,  which  is  user  callable,  is  an  inquiry  about  the 
semaphore  count  which  does  not  require  write  access . If  SMFR__COUNT 
(ASTE_PARM)  is  less  than  zero,  T sets  RC  to  ERR_FLAG. 

The  PROCID  function  merely  assigns  RC  the  value  of  PS_CIJRRENT_ 
PROCESS.  The  process  can  use  this  to  index  the  process  directory 
directory  and  find  its  process  directory  or  to  index  the  I/O  segment. 
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Function:  PCHECK 

Parameters : PCHECK(f unction_code , seg# , offset , class , cat , type , 

size , mode , user_id , pr o j ect_id , reg# , process# .block#) 

Effect : 

IF  (FUNCTION_CODE_MIN  <=  f unction_code  <=  FUNCTION_CODE_MAX  & 
(not  SEG#_PARM(function_code) | 

((SEG#_MIN  <=  seg#  <=  SEG#_MAX)  & 

PS_SEG_INUSE(TCP,seg#)))  & 

(not  OFFSET_PAElM(function_code)  | 

(OFFSET_MIN  <=  offset  <=  OFFSET_MAX))  & 

(not  CLASS_PARM( function code) I 

(CLASS_MIN  <=  class  <=  CLASS_MAX))  & 

(not  CAT_PARM(function_code) I 
(cat  C CATEGORY_SET))  & 

(not  TYPE_PARM(function_code) I 

((type  = DIRECTORY)  | (type  = DATA)))  & 

(not  SIZE_PARM(f unction_code) I 
(SIZE_MIN  <=  size  <=  SIZE_MAX))  & 

(not  MODE_PARM(function_code) I 

((mode  = WRITE)  | (mode  = READ)  | (mode  = NO)))  & 

(not  USER_ID P ARM (function  code)  | 

(USER_ID_MIN  <=  user_id  <='~USEE_ID_MAX) ) & 

(not  PROJECT_ID_PARM(function_code) | 

(PROJECT_ID_MIN  <=  project_id  <=  PROJECT_ID_MAX) ) & 

(not  REG#_PARM(function_code) | 

(REG#_MIN  <=  reg#  <=  REG#_MAX) ) & 

(not  PROCESS#_PARM(functlon_code) I 
(PROCESS#_MIN  <=  process#  <=  PROCESS #_MAX) ) & 

(not  BLOCK#_PARM(functlon_code) | 

(BLOCK#_MIN  <=  block  # <=  BLOCK#_MAX) ) ; 

THEN:  Let  aste#  = PS_SEG(TCP ,SEG#) ; 

CASE  of  f unctlon_code : 

1.  CREATE (TCP, aste#, of f set , class , cat , type, size) ; 

2.  DELETE (TCP, aste#, off set) 

3.  GIVE(TCP, aste#, offset, mode, user_id,project_id) ; 

4.  RESCIND (TCP, aste#, off set, user_id,project_id) ; 

5.  GETW(TCP , aste# , of f set) ; 

6.  GETR(TCP , as te# , of f set) ; 

7.  DCONNECT(seg#,aste#) ; 

8 . ENABLE (TCP , aste# , reg#) ; 

9.  DISABLE (reg#) ; 

10.  OUTERP(aste#) ; 

11.  OUTERV(aste#) ; 

12.  T(TCP,aste#) ; 

13.  IPCSEND(process#, message, USER_DOMAIN) ; 

14.  IPCRCV; 
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15 • STARTP (TCP , user__id , pr o j ect_id , class , cat , process# , offset) ; 

16.  STOPP; 

17 . CHANGEO(TCP, aste# ,off set , class , cat) ; 

18.  KPROCID(TCP) ; 

19.  INITH(TCP, aste#, offset, cat) ; 

20.  READIR(TCP,aste#,offset) ; 

ELSE:  RC(TCP)  = NO 
END; 


3. 2. 2. 2  N/A 


3. 2. 2. 3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By  Calls 

GATE  CREATE 

DELETE 

GIVE 

RESCIND 

OUTERP 

OUTERV 

STARTP 

STOPP 

CHANGEO 

INITH 

READIR 

IPCRCV 

IPCSEND 

GETW 

GETR 

ENABLE 

DISABLE 

DCONNECT 

P 

V 


3. 2. 2. 4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  PCHECK.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
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For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References 

Function  Parameters 

Local  References 

PS_SEG 

FUNCTION  CODE 

SEG//_PARM 

PS_CURRENT  PROCESS 

SEC# 

OFFS ET_P  ARM 

SEG//_APARM 

OFFSET 

CLASS_PARM 

OFFSET  APARM 

CLASS 

CAT  FARM 

CLASS_APARM 

CAT 

SEG_TYPE  FARM 

CAT  APARM 

TYPE 

SIZE_PARM 

SEG_TYPE_APARM 

SIZE 

MODE_PARM 

SIZE  APARM 

MODE 

USER  FARM 

MODE_APARM 

USER  ID 

PROJECT_PARM 

USER  APARM 

PROJECT  ID 

REG//  FARM 

PROJECT_APARM 

REG// 

PROCESS//_PARM 

REG//_APARM 

PROCESS// 

MESSAGE_PARM 

PROCESS//  APARM 

BLOCK// 

ASTE//  FARM 

MESSAGE  APARM 

PARM_FLAGS 

FUNCTION_CODE_APARM 

FUNCTION  CODE  TYPE 

FUNCTION_CODE 

RC 

FUNCTION_ARRAY 

Constants 


ACL_USER_MASK 

CLASS_FLAG 

CLASSJIAX 

CLASS_MIN 

DIR_TYPE_MASK 

ERR_FLAG 

FUNCTI ON_C  ODE_MAX 

FUNCTION_CODE_MIN 

KERNEL_SMFR 

MODE_FLAG 

NO_ACCESS 

OFFSET_FLAG 

OFFSET  MAX 


OFFSET_MIN 

OK_FLAG 

P ROCKS  S//_FLAG 

PROCESS//_MAX 

PROCESS //_MIN 

READ $EXECUTE_AC CE S S 

REG_FLAG 

REG#_MAX 

REG//_MIN 

SEG//_FLAG 

SEG//_MAX 

SEG//_MIN 

SEVERE_FLAG 

WRITE$READ$EXECUTE_ACCESS 


34 


3. 2. 2. 5 Limitations 


PCHECK  returns  SEVERE_FLAG  if  the  parameters  passed  to  it  do 
not  fall  within  the  acceptable  ranges  or  if  the  seg//  (if  required) 
is  not  in  the  processes  WS. 

3. 2. 2. 6 Listing 

D^TA  PCHECK  RETURNS  (RC)  ; 


PROGRAM  PCHECK; 

TYPE  FUNCTION_CODE_TyPE  ^ (0  TO  FUNCTION  CODE  MAX) ; 

DECLARE 

FUNCTION_CODE_TYPE  ( FU NCTION^CO DE) ; 

DECLARE 

WORD  (SEG#_PARM,  OFFSET_PAPM,  CLASS^PARM,  CAT^PARM,  SEG_TYPE_P AR M , SIZE^PARH, 
MODE^PARM,  OSER^PARM,  PROJECT  PARM,  REG#”PARM,  PROC ES S ARM , 

MESSAGE_PARn,  ASTE#_PARMr  PARM^FLAGS); 

/♦  CHECK  FUNCTION  CODE  ♦/ 

IF  FONCTION_CODE_APARM  < FU NCT ION _CO DF_M IN ; 

THEN; 

RETURN  WITH  SSVERE^FLAG; 

END; 

IF  FUNCTION_CODE_APAPM  > FU  NCT  ION_CO  D F_M  A X; 

THEN: 

....  RETURN  WITH  SEVERE_FLAG; 

END; 

FUNCTION^CODF  :=  FU NCT lON^COD E_ AP AR M ; 

P(KERNEl3sMFR) ; 

PARM_FLAGS  :=  F UNCTION^ARR A Y (FUNCTI ON_CODE) ; 

RC  :=  OK^FLAG; 

/♦  CHECK  SEG#  PARAMETER  IF  REQUIRED  ♦/ 

IF  (?ARM_FLAGS  & SEG#_FLAG)  --=  0; 

THEN:  SEG#_PARM  SEG#_AFARM; 

IF  SEG#_PARM  < SEG#_MTN; 

THEN;  RC  :=  SEVERE^FLAG; 

FND; 

IF  SEG#_PARM  > SEG#_MAX; 

THEN:  RC  :=  SEVERE^FLAG; 

END; 

IF  RC  -=  SEVERS^FLAG ; 

THEN:  ASTE#_PARM  :=  PS^SFG  (SEG #_PA RM ) ; 

IF  (ASTEi^PARM  G SEG^FLAG)  -.=  0; 

THEN:  RC  :=  SFVERE^FLAG; 

END; 


END; 


END; 
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CHECK  OFFSET  PAFW  IF  BEQUIBED 


/* 


IF  (PAHM_FLAGS  & OFFSBT_FLAG)  -.=  0; 
THEN:  OFFSET_PAHM  :=  OFFSET_APAHM ; 


♦/ 


IF  OFFSET_PABn  < OFFSET_HIN; 

THEN:  BC  :=  SEVEBE^FLAG; 
END; 

IF  OFFSET_PABM  > OFFSET_flAX; 

THEN:  BC  :=  SEVEHE_FLAG; 
END; 


END; 


/♦  CHECK  CLASSIFICATION  PAHAflETSH  IF  BEQUIBED  ♦/ 

IF  (PAHH^FLAGS  6 CLASS.FLAG)  -.=  0; 

THEN:  CLASS_PABM  :=  CLASS^APABM; 

IF  CLASS_PABM  < CLASS^HIN; 

THEN:  BC  :=  SEVEBE^FLAG; 

END; 

IF  CLASS_PABM  > CLASS^MAX; 

THEN;  BC  :=  SEVEHE_FLAG; 

END; 


END; 

/*  NO  SYNTACTIC  ERHOH  CHECKING  FOR  CATEGCBY  PARAMETER  ♦/ 

CAT_PARM  :=  CAT_APARM; 

/♦  NO  CHECKING  OF  SEG_TYPE  PARAMETER  */ 

SEG_TYPE_PABM  :=  (SEG_TYPE_APABM  6 DIR_TYPE_*1ASK)  ; 

/♦  NO  CHECKING  OF  SIZE  PARAMETER 

SIZE_PABM  :=  SIZE_APARM; 

/♦  CHECK  MODE  PABM  IF  BEQUIBED 

IF  (PABM  FLAGS  5 MODE_FLAG)  -=  0; 

THEN:  MODE_PABM  :=  MODE^APABM ; 

IF  (MODE_PARM  -»=  W RITE$BEAD$  EX  EC(ITE_ACCESS)  6 (MODE_PABM  -«=  BE  AD>$EXECUTE_ACCESS 
) &”(MODE_PARM  -.=  NO^ACCESS)  ; 

THEN:  RC  SEVEBE_FLAG; 

END; 


END; 

/♦  NO  CHECKING  OF  USER  PARAMETER 
aSER_PARM  :=  (USER^APARM  & ACL_USER_MASK)  ; 
/♦  NO  CHECKING  OF  PROJECT  PARAMETER 
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PPOJECT_PAPI*!  :=  PROJECT_APAFfl  ; 

/♦  CHECK  REG#  IF  REQUIRED  */ 

IF  (PAFM_FLAGS  & REG_FLAG)  -=  0; 

TH^N:  REG#_?APn  :=^  FEG#_APAFn; 

IF  PEG#_PAF?!  < FEG#_KIN; 

THEN:  RC  SEVEPE_FLAG; 

END; 

IF  FEG#_PAF!1  > REG#_flAX; 

THEN:”pC  :=  SEVERE_PLAG; 

END; 

END; 

/♦  CHECK  PROCESS#  PARAMETER  IF  FEOUIPED  ♦/ 

IF  (PAF!1_FLAGS  6 PROCESS#_FLAG)  -=  0; 

THEN:  PROCESS #_PAFM  ;=  PPOCESS#_APARM ; 

IF  PROCESS #_PARM  < PROC ESS#^M IN ; 

THEN:  PC  T=  SEVERS_FLAG; 

END; 

IF  PROCFS.S#_PAPM  > PROCF ‘^S  i_M  AX  ; 

"’HEN:  PC  ;=  SFVEPE_FLAG; 

END; 

END  ; 

/♦  NO  CHECKING  OF  MESSAGF  PARAMETER  */ 

MESSAGE_PARn  ;=  M ESS AGF_ AP AFM ; 

IF  RC  -=  SEVERF_FLAG; 

THEN; 

IF  FUNCTION_CODE  < 10; 

THEN: 

CASE  FUNCTION  CODE  TYPE  TAG  FUNCTION  CODE; 

1;  RC  :=  CREATF(ASTE#_PARM,  OFFSST_PARM,  CLASS^PARM,  CAT_PARM, 
SEG_TYPE_PAPm7  SIZE_PAP[1)  ; 

2:  RC  :=  DELETE (ASTEi_P ARM , OPFSET_PA R M) ; 

3:  PC  :=  GIVE(ASTE#_PARn,  OFFSET_PAPM,  MODE^PARM,  USER^PARM, 

PROJECT_PARM)  ; 

U;  RC  :=  RESCIND(ASTEi_PARM,  OPPSET^PARM,  USEB_PARM,  PROJ ECT_P ABM) ; 

S:  RC  :=  GETW ( ASTE#_P ARM,  OPFSET_PARM)  ; 

6:  RC  :=  GETR  (ASTE#_P  ARM,  OFFSET_PARM)  ; 

7:  DCONNECT  (SEG#_PARM,  ASTE#_PARM) ; 

B:  RC  :=  ENARLE( ASTE#_P ARM,  REGi_PARM) ; 

0:  DISABLE  (RSGi^PARM)  ; 

END; 
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ELSE: 


CASE  FUNCTrON_CODE_TYPE  TAG  FUNCTION  CODE; 
10:  RC  :=  OUTER? ( ASTE#_PARn) ; 

11:  RC  :=  OUTERV  (ASTS#_PARM)  ; 

12: 

IF  S MFH_CODNT ( ASTE«_PARM) <=  0; 

THEH:'~RC  :=  EER_FLAG; 

FND; 


1 1: 
1 U; 
1 5: 

1^: 

17; 

19: 

20: 


IPCS  E!JD  (PROCES.S#_r  AP^  , 1 ESS  AGE^PAR  M , 0); 

PC  :=  IPCRCV; 

RC  :=  START?  (USEP_PAH"1,  PPOvlECT^PARM,  CLASS^PARM,  CAT  FARM, 
PROCESS#_PARM , OFFSET  PARM); 

STOPP; 

RC  :=  CHA  NGEO  (ASTE#_PARM,  OEF3FT_PAFM,  CLASS_PAR«,  CAT_PARf1); 
RC  :=  PS_CURRENT_PROCESS; 

RC  :=  INITH(ASTE#_PAR'l,  OEFSRT^PARM,  CAT_PARM); 

RC  ;=  READIF  ( ASTF  »_PAPM,  OF  F3  rjT_P  AP  M)  ; 


END; 


END; 


V (KERNEL_S  NPP)  ; 


3.2.3  Create  Segment  (CREATE) 

The  Create  Segment  CPC,  CREATE,  is  a user  level  external  SKCPP 
function  that  is  called  by  user  level  external  programs  with  the 
parameters  seg//,  offset,  class,  cat,  type,  and  size.  CREATE  calls 
only  kernel  level  internal  functions.  It  is  written  in  Project  SUE 
System  Language. 

3. 2. 3.1  Description 

CREATE  creates  a segment  if  security  and  implementation  re- 
quirements are  met.  It  calls  WRITEDIR  which  sets  RC  to  OK_FLAG  if 
the  intended  parent  segment  is  a directory  to  which  the  process  has 
write  access;  otherwise,  WRITEDIR  sets  ERR_FLAG.  CREATE  then  sets 
RC  to  ERR^FLAG  if  the  classification  of  the  new  segment  is  less  than 
that  of  the  parent  segment,  if  the  category  set  of  the  new  segment 
does  not  include  that  of  the  parent  segment,  if  the  size  of  the  new 
segment  is  not  allowable,  or  if  the  offset  does  not  identify  a free 
directory  entry.  If  RC  is  not  set  to  ERR_FLAG,  DALLOC  allocates  disk 
space  for  the  segment  with  address  DISK_ADR.  DIR__TYPE  is  assigned 
SEG_TYPE  or  DIR_UNINITIALIZED  or  CLASS,  DIR_CAT  is  assigned  CAT, 
DIR_DISK  is  assigned  DISK__ADR,  and  DIR_SIZE  is  filled  in  with  SIZE. 
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Func  t ion : CREATE 

Parameters : CREATE  (process//,  as  te#,  of  f set , class  , cat , type , 

size) 

Effect: 

IF  not  AST__WAL(aste//, process//)  | 

(class  < AST_CLASS(aste//))  | 

(cat  ^ AST__CAT(aste//))  | 

(AST_TYPE(aste//)  ^ DIRECTORY)  I 
(’DIR_SIZE’ (aste//,offset)  4 0)  | 

(size  i SIZE_SET)  | 

((type  = DIRECTORY)  & (size  ^ DIRECTORY_SIZE) ) 

THEN:  RC  (process//)  = NO; 

ELSE:  DIR__TYPE(aste//, offset)  = type; 

DIR__STATUS(aste//,  offset)  = UNINITIALIZED; 

DIR__CLASS  (aste//,  off  set)  = class; 

DIR__CAT(aste//,  of  f set)  = cat ; 

DIR__SIZE(aste// , of  fset)  = size ; 

DISK_ALLOC(size)  ; 

DIRJDISK(aste//,  offset)  = NEXT_DISK_ADDRESS  ; 
DIR_ACL_HEAD(aste//,offset)  = 0; 

RC(process//)  = YES; 

END; 

3.2.3.2  N/A 

3 . 2. 3. 3 Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

P CHECK  WRITEDIR 

DALLOC 


3. 2. 3. 4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  CREATE.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 


AST_CLASS 

AST_CAT 

DIR_SIZE 

DIRJTYPE 

DIR_CAT 

DIR  DISK 


ASTE# 

OFFSET 

CLASS 

CAT 


DISKJU)R 

RC 


SEG_TYPE 

SIZE 


DIR_SIZE 

Constants 

AST_CLASS_MASK 

BMT_SIZE2_ADR 

DIR__UNINITIALIZED 

ERR__FLAG 

SIZE2 

3. 2. 3-5  Limitations 

CREATE  returns  with  ERR_FLAG  if  the  intended  parent  segment  is 
a directory  to  which  the  process  does  not  have  write  access , if  the 
classification  of  the  new  segment  is  less  than  that  of  the  parent 
segment,  if  the  category  set  of  the  new  segment  does  not  include  that 
of  the  parent  segment,  if  the  size  of  the  new  segment  is  not  allow- 
able, or  if  the  offset  does  not  identify  a free  directory  entry. 

3. 2. 3. 6 Listing 


CREATF  (ASTE#,  OFFSET,  CLASS,  CAT,  SEG_TYPE,  SIZE)  RETURNS  (RC)  ; 
DECLARE 

PROCEDURE  ACCEPTS  (WORD)  RETURNS  (WORD)  (DALLOC); 


PROGRAM  CREATE; 

DECLARE 

WORD  (DISK_ADR); 

/♦  SECURITY  CHECKS  FIRST  ♦/ 

/♦  CREATE  IS  INTERPRETATIVE  DIRECTORY  WRITE  ♦/ 

RC  :=  WRITEDIR  (ASTE#)  ; 

/♦  CHECK  COMPATIBILITY  REQUIREMENTS  ♦/ 

IP  CLASS  < (AST_CLASS  (ASTE#)  6 AST_CLASS_MASK)  ; 

THEN:  RC  EBR_FLAG; 

END; 
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IF  CAT  ( AST^CAT  ( ASTEi)  | CAT); 

THEN:  RC  :=  ERR_FLAG; 

END; 

/♦  IMPLEMENTATION  CHECKS  ♦/ 

/♦  CHECK  SIZE  PARAMETER  - ONLY  SIZE2  ALLOWED  AT  THIS  TIME  ♦/ 

IF  SIZE  -.=  SIZE2; 

THEN:  RC  :=  EPR_FLAG; 

END; 

/♦  CHECK  OFFSET  PARAMETER  ♦/ 

IF  DIR_SIZE  (OFFSET)  0; 

then”  RC  :=  ERR_FLAG; 

END; 

IF  RC  = ERR_FLAG; 

THEN; 

RETURN; 

END; 

/♦  ALLOCATE  A DISK  AREA  FOR  THE  SEGMENT  ♦/ 

DISK^ADR  :=  DALLOC  (BMT_SIZE2_ADB)  ; 

/*  CHECKING  COMPLETE  - PERFORM  STATE  CHANGE  ♦/ 

/♦  FILL  IN  DIRECTORY  ENTRY  ♦/ 

DIR_TYPE  (OFFSET)  :=  (SEG^TYPE  | DIR_DN  INITIAL  IZED  | CLASS); 

DIR”cAT  (OFFSET)  :=  CAT; 

DIR_DISK  (OFFSET)  DISK^ADR; 

DIR_SIZE(OFFSET)  Z-  SIZeT 


3.2.4  Delete  (DELETE) 

The  Delete  CPC,  DELETE,  is  a user  level  external  SKCPP  function 
that  is  called  by  user  level  external  programs  with  the  parameters 
seg//  and  offset.  DELETE  calls  only  kernel  level  internal  functions. 
It  is  written  in  Project  SUE  System  Language. 

3. 2. 4.1  Description 

DELETE  removes  all  ACL  elements  from  the  parent  directory  entry 
identified  by  ASTE#,  OFFSET,  deactivates  the  specified  segment,  frees 
its  disk  space,  and  marks  the  parent  directory  entry  available.  If 
WRITEDIR  returns  ERR__FLAG  indicating  that  the  parent  segment  is  not 
a directory  to  which  the  calling  process  has  write  access  or  if  the 
entry  to  be  deleted  is  of  size  zero,  DELETE  returns  with  ERR__FLAG. 

If  not,  DELETE  calculates  the  logical  and  of  DIR__TYPE  and  DIR__TYPE__ 
MASK  to  separate  type  information  from  the  status  and  class.  If  the 
result  is  not  DIR_jrYPE_piRECTORY , the  entry  is  a data  segment; 
DELETSEG  is  called  to  remove  all  ACL  elements,  deactivate  the  seg- 
ment, free  its  disk  space,  and  set  DIR__SIZE  = 0 which  marks  the 
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entry  available.  If  the  result  equals  DIR_TYPE_DIRECTORY,  DELETSEG 
cannot  be  called  until  the  directory  is  empty. 

DELETE  then  begins  the  directory  deletion  cycle:  SPASTE#  and 
SOFFSET  are  assigned  the  values  of  the  ASTE//  and  OFFSET  of  the 
original  directory  to  be  deleted. 

The  process  to  find  and  delete  the  lowest  directory  in  the 
hierarchy  starting  with  the  specified  directory  then  follows: 

DELETE  finds  the  disk  address  of  the  directory  specified  by  SPASTE//, 
SOFFSET.  It  then  calls  HASH,  which  returns  the  directory’s  own  ASTE// 
if  it  is  active,  or  0 if  it  is  not.  If  it  is  0,  ACT  is  called  to 
activate  the  directory  and  SASTE//  is  set  to  the  ASTE//  of  the  directory 
to  be  deleted.  Its  segment  descriptors  are  then  loaded  by  GETDIR. 
DELETE  then  scans  the  entries  of  the  directory  to  be  deleted  starting 
with  TOFFSET  equal  to  OFFSET_MIN.  If  the  size  of  the  entry  identi- 
fied by  TOFFSET  is  zero,  the  scan  of  directory  entries  is  continued. 
Otherwise,  DELETE  tests  if  the  DIR_TYPE  of  the  segment  and  DIR__TYPE_ 
MASK  equals  DIR_TYPE_DIRECTORY.  If  so,  this  entry  is  itself  another 
directory  whose  entries  must  be  deleted  before  it  can  be  deleted. 

In  this  case,  DELETE  resets  SPASTE//  and  SOFFSET  to  SASTE//  and 
TOFFSET  and  repeats  the  directory  deletion  process.  If  not,  the 
entry  is  a data  segment  which  DELETSEG  deletes.  The  entry  scan 
continues  until  TOFFSET  equals  OFFSET_MAX.  Then,  the  directory  is 
empty  and  DELETE  can  call  DELETSEG  to  remove  it.  If  SPASTE//  is  not 
equal  to  ASTE//,  the  last  directory  deleted  was  part  of  the  sub- 
hierarchy of  the  directory  orginally  specified  to  be  deleted-  DELETE 
loads  the  segment  descriptors  of  the  original  directory  and  continues 
the  directory  deletion  cycle.  If  SPASTE//  = ASTE//,  the  last  directory 
deleted  was  the  original  segment;  DELETE  sets  RC  to  OK^JFLAG  and 
returns  control  to  the  calling  program. 

Function:  DELETE 

Parameters:  DELETE  (pro  cess// , aste//,  of  fset) 

Effect: 

AST__WAL(aste//, process//)  | 

(AST__TYPE(aste//)  ^ DIRECTORY)  I 

(’DIR__SIZE’ (aste//, offset)  = 0); 

THEN:  RC  (process//)  = NO; 

ELSE: 

IF  ’DIR_ACL_HEAD’ (aste//,  of  fset)  ^ 0; 

THEN:  Let  acle//  = FINDEND(aste//, ’DIR__ACL__HEAD’ (aste//, 

offset) ; 

ACL_CHAIN(aste//,acle//)  = ’ACL__CHAIN’ (aste//,0)  ; 
ACL_CHAINUste//,0)  = ’DIR_ACL__HEAD’  (aste// , of  fset)  ; 

END; 
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DIR_SIZE(aste#, offset)  = 0; 
DELETSEG(aste//,  offset) 

IF  DIR_TYPE (as te//, offset)  = DIRECTORY; 
THEN:  DELETSEG(aste//, offset) 

END; 

RC  (process//)  = YES ; 

END; 


3. 2. 4. 2 N/A 

3. 2. 4. 3 Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3*4. 

Called  By  Calls 

PCHECK  GETDIR 

DELETSEG 

WRITEDIR 

HASH 

ACT 

3. 2. 4. 4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DELETE.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

DIR_SIZE  ASTE#  SPASTE# 

DIR_TYPE  OFFSET  SASTE// 

SOFFSET 

TOFFSET 

RC 

Constants 

DIR_TYPE 

DIR_TYPE_DIRECTORY 
DIR_TYPE_MASK 
OK  FLAG 
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3. 2. 4. 5 Limitations 


DELETE  returns  ERR_FLAG  if  the  parent  segment  is  not  a directory 
to  which  the  calling  process  has  access  or  if  the  entry  to  be  deleted 
is  of  size  zero.  Otherwise,  RC  = OK^FLAG. 

3. 2. 4. 6 Listing 


DATA  DELETE(ASTE#,  OFFSET)  RETURNS  (RC)  ; 

DECLARE 

PROCEDURE  ACCEPTS  (WORD)  (GSTDIR) , 
PROCEDURE  ACCEPTS  (WORD,  WORD)  (DELETSEG); 


PROGRAM  DELETE; 

DECLARE 

WORD  (SPASTE#,  SASTE#,  SOFFSET,  TOFFSET)  ; 

/♦  SECURITY  CHECKS  FIRST 

/♦  DELETE  IS  AN  INTERPRETATIVE  DIRECTORY  WRITE 

IF  WRITEDIR  ( ASTEi)  = ERR_FLAG; 

THEN: 

RETURN  WITH  ERR^FLAG; 

END  ; 

/♦  IMPLEMENTATION  CHECKS 

IF  DIR^SIZE  (OFFSET)  = 0; 

thenT 

RETURN  WITH  ERB^FLAG; 

END; 


*/ 

♦/ 


*/ 


/♦  ELIMINATE  CASE  OF  DATA  SEGMENT  V 

IF  (DIR_TYPE(OFFSET)  & DI  R_TY  P E_M  A SK ) DI  R_T  YPF_D  IRECTOPY  ; 

THEN:“nELETSEG  (ASTE#,  OFFSET)! 

ELSE:  <OUTER_CYCLF> 

CYCLE 


/♦  , START  AT  THE  TOP  OF  THE  CHAIN  AND  WORK  DOWN  ♦/ 

SPASTE#  :=  ASTEi; 

SOFFSET  :=  OFFSET; 

<INNFR_CYCLE> 

CYCLE 


/*  ASSURE  DIRECTORY  TO  BE  DELETED  IS  ACTIVE  */ 

SASTE#  :=  HASH (DIR_DISK(SOFFSET))  ; 

IF  SASTE#  = 0; 

THEN;  SASTE#  :=  ACT(SPASTEi,  SOFFSET)  ; 

END; 

/♦  LOAD  SEGMENT  DESCRIPTORS  */ 

GETDIR  (S  ASTE#  ) ; 
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SEARCH  THE  DIRECTORY  FOR  ENTRIES  OF  NON-ZERO  SIZE 


/♦ 


♦/ 


DO  TOFFSET  :=  OFFSET_f!lN  TO  OFFSET_HAX; 

IF  DIR  SIZE  (TOFFSET)  0; 

THEN? 

IF  (DIR_TYPE (TOFFSET)  S DIR_TYPE_HASK)  = DIR_TTPE_DI RECTORY; 
THEN:  /♦  GAIN  ACCESS  TO  a”dIRECTORY  ENTBY--PREP  AR  E TO 
SEARCH  */ 

SPASTE#  :=  SASTE#; 

SOFFSET  :=  TOFFSET; 

REPEAT  <INNER_CYCLE>; 

ELSE:  /♦  DELETE  A DATA  SEGMENT  ENTRY  */ 

DELETSEG(SASTEi,  TOFFSET)  ; 


END; 

END; 


/♦  THIS  DIRECTORY  IS  EMPTY — DELETE  IT  ♦/ 

GETDIR(SPASTE#) ; 

DELETS  EG  (S  PAST  E#  , SO  FFSET)  ; 

/♦  FINISHED?  ♦/ 

....  EXIT  <OUTER_CYCLE>  WHEN  SPASTE#  = ASTE#; 

/♦  LOAD  SEGMENT  DESCRIPTORS  OF  ORIGINAL  DIRECTORY  ♦/ 

GETDIR(ASTE#) ; 

REPEAT  <OUTER_CYCLE>; 

END  <INNSR_CYCLE>;” 

END  <OUTER_CYCLE> ; 

END; 

RC  ;=  OK_FLAG; 


3.2.5  Give  Access  (GIVE) 


The  Give  Access  CPC,  GIVE,  is  a user  level  external  SKCPP  func- 
tion that  is  called  by  user  level  external  programs  with  the  para- 
meters seg//,  offset,  mode,  user,  and  project.  GIVE  calls  only  kernel 
level  internal  functions.  It  is  written  in  Project  SUE  System 
Language. 

3. 2. 5.1  Description 

GIVE  adds  an  ACL  element  to  the  directory  entry  of  a segment  if 
all  constraints  are  satisfied.  It  calls  WRITEDIR  which  returns 
ERR_FLAG  if  the  process  does  not  have  write  access  to  the  parent 
directory  of  the  segment.  If  WRITEDIR  returns  ERR_FLAG  or  if  DIR_ 
DISK  for  the  segment  is  zero  indicating  the  segment  is  non-existent, 
GIVE  returns  with  ERR_FLAG.  GIVE  then  scans  the  ACL  beginning  at 
the  element  specified  by  DIR_ACL_HEAD  until  ACL_CHAIN  equals  zero. 


45 


If,  for  an  existing  element,  the  logical  and  of  ACL_USER  and  ACL_ 
USER_MASK  matches  the  USER  specified  in  the  function  call,  and  ACL_ 
PROJECT  matches  the  PROJECT  specified  in  the  function  call,  GIVE 
returns  with  ERR_FLAG.  Otherwise,  it  allocates  an  ACL  element  ACLE# 
equal  to  ACL_CHAIN  (0) , which  holds  the  head  of  the  free  element 
chain.  If  ACLE#  equals  zero,  no  more  elements  are  free,  and  GIVE 
returns  with  ERR_FLAG;  if  not, GIVE  resets  ACL_CHAIN(0)  to  the  number 
of  the  next  element  held  in  ACL_CHAIN(ACLE//)  . GIVE  then  finds  the 
proper  position  for  the  new  element.  POSITION  is  set  to  zero.  If 
DII^ACL_HEAD  is  zero,  the  ACL  is  empty  and  the  element  may  be  in- 
serted at  POSITION  zero.  If  the  ACL  is  not  empty,  and  USER  is 
ALL^USERS  and  PROJECT  is  ALL__PROJECTS  the  new  element  belongs  at  the 
end  of  the  list:  GIVE  finds  this  by  setting  POSITION  to  DIR_ACL_ 
HEAD (OFFSET)  and  resetting  it  to  ACL_CHAIN (POSITION)  repeatedly 
until  ACL_CHAIN (POSITION)  equals  zero.  If  USER  is  ALLJJSERS  or  PRO- 
JECT is  ALL^jPROJECTS  but  not  both,  GIVE  tests  if  the  first  entry  in 
the  ACL,  ACL_USER(DIR__ACL_HEAD (OFFSET))  and  ACL_USER_MASK  is  ALL_ 
USERS.  If  so,  the  element  can  be  placed  first  in  the  list  at 
POSITION  zero.  If  not,  POSITION  is  set  to  DIR_ACL_HEAD (OFFSET) , and 
until  ACL_CHAIN(POSITION)  is  zero  marking  the  end  of  the  chain  or 
ACL_USER(ACL__CHAIN (POSITION))  and  ACLJJSER_JIASK  is  ALL_USERS, 

POSITION  is  reset  to  ACL_CHAIN (POSITION) . GIVE  now  fills  in  the  new 
element,  ACL_USER(ACLE//)  assigned  USER  or  MODE  and  ACL_PROJECT(ACLE//) 
assigned  PROJECT.  If  POSITION  is  zero,  the  element  is  entered  at  the 
beginning  of  the  list  by  setting  ACL_CHAIN(ACLE//)  to  DIR_ACL_HEAD 
(OFFSET)  and  DIR_ACL_HEAD (OFFSET)  to  ACLE# . Otherwise,  the  element 
is  inserted  after  the  ACL  element  identified  by  POSITION:  ACL_CHAIN 
(ACLE//)  is  assigned  ACL__CHAIN (POSITION)  and  ACL_CHAIN (POSITION)  is 
assigned  ACLE//.  Finally,  if  MODE  is  less  than  WRITE $READ$ECECUTE_ 
ACCESS,  SOADD  is  called  to  remove  the  segment  from  the  work  spaces 
of  processes  whose  access  rights  have  been  rescinded.  RC  is  then  set 
to  OK_FLAG. 

Function:  GIVE 

Parameters  : GIVE  (process// , aste// , of  fset  ,mode  ,user_id  ,project_id) 

Effect : 

IF  not  AST__WAL(aste// , process//)  | 

(AST_TYPE(aste//)  i DIRECTORY)  | 

(DIR_SIZE(aste//, offset)  = 0)  I 

DUPACL(aste//,  ’DIR_ACL_HEAD  ’ (aste// , off  set)  , user_id, 
project^id) | 

('ACL_CHAIN’ (aste//,  0)  =0); 

THEN:  RC(process//)  = NO; 

ELSE:  Let  acle//  = ’ACL_CHAIN’ (aste#  ,0)  ; 

ACL_CHAIN(aste//,0)  = ’ACL_CHAIN’ (aste//, acle//)  ; 

Let  position  = FACLPOS  (as  te# , ’DIR_ACL_HEAD’ (aste//,  off  set)  , 
user_id,  project_id) ; 
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IF  position  = 0; 

THEN:  ACL_CHAIN(aste//,acle//)  = 

’DIR_ACLj:iEAD’  (aste//, of  f set)  ; 

DIR_ACL_HEAD(aste//,off  set)  = acle#; 

ELSE:  ACL_CHAIN( aste//, acle//)  = ’ ACL_CHAIN ’ (as te// , position)  ; 

ACL__CHAIN  (aste//,  position)  = acle//; 

END; 

ACL__USER(aste//  ,acle//)  = user__id; 

ACL_PROJECT  (aste//,  acle//)  = project__id; 

ACL__M0DE  (as  te// , acle//)  = mode ; 

SOADD(aste//,of  fset) ; 

RC(process//)  = YES; 

END; 

Function:  DUPACL 

Parameters  : DUPACL  (aste//,  acle//,  user_id,  pro  ject_id)  ; 

Value: 

IF  acle//  = 0; 

THEN:  FALSE; 

ELSE: 

IF  (ACL__USER (aste//, acle//)  = user__id)  & 

(ACL_PROJECT (aste//, acle//)  = proj ect__id)  ; 

THEN:  TRUE; 

ELSE : DUPACL  (as  te// , ACL__CHA1N  (as  te// , acle//)  , user_id , 
project_id)  ; 

END; 

END; 

Function:  FACLPOS 

Parameters  : FACLPOS  (as  te// , acle// , user_id , proj  ect__id) 

Value: 

IF  acle//  = 0; 

THEN:  0; 

ELSE: 

IF  (user__id  = ALL_USERS)  & 

(project_id  = ALL_PROJECTS) ; 

THEN:  FINDEND (aste//, acle//)  ; 

ELSE: 

IF  (user__id  = ALL_USERS) 

(project  id  = ALL  PROJECTS); 

THEN: 
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IF  ACL_USER(aste#,acle#)  = ALL_USERS; 
THEN:  0; 

ELSE:  FINDUSER(aste#,acle#) ; 

END; 

ELSE : 0 ; 

END; 

END; 

END; 

Function:  FINDEND 

Parameters:  FINDEND (as te#,  acle#) 

Value: 

IF  ACL_CHAIN(aste#,  acle#)  7^  0; 

THEN:  FINDEND ( as te#,  ACLE_CHAIN(aste// , acle#)); 

ELSE:  acle#; 

END; 

Function:  FINDUSER 

possible  values:  acle# 

Parameters:  FINDUSERCaste#,  acle#) ; 

Value : 

IF  (ACL_CHAIN(aste#,  acle#)  = 0)1 

(ACL_USER(aste#,  acle#)  = ALL_USERS 
THEN:  acle#; 

ELSE:  FINDUSER (as te#,  ACL_CHAIN(aste# , acle#)); 

END; 


3. 2. 5*2  N/A 
3. 2.5. 3 Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  WRITEDIR 

SOADD 


3.2.5. 4 Data  Organization 


Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  GIVE.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 


DIRJDISK 
DIR_ACL_J1EAD 
ACL_USER 
ACL_PROJECT 
ACL  CHAIN 


ASTE# 

OFFSET 

MODE 

USER 

PROJECT 


ACLE# 

INDEX 

POSITION 

RC 


Constants 


ACLJJSER_MASK 

ALL__PROJECTS 

ALLJJSERS 

ERR_FLAG 

OK_FLAG 

WRITE^READ$EXECUTE__ACCESS 


3 . 2 • 5 - 5 Limitations 


GIVE  returns  ERR^FLAG  if  DIR__DISK  for  the  segment  is  zero,  if 
ACL^USER  and  ACL__USER_MASK  matches  the  USER  specified  and  ACL_PROJECT 
matches  the  PROJECT  specified,  or  if  no  elements  are  free.  Otherwise, 
RC  = OK  FLAG, 


3. 2. 5.6  Listing 


DATA  GIVE(ASTE#.  OFFSET,  MODE.  ^JSER,  PROJECT)  RETURNS  (RC)  ; 


PROGRAM  GIVE; 

DECLARE 

WORD  (ACLE#,  INDEX,  POSITION); 

/*  SECURITY  CHECKS  FIRST 

/♦  GIVE  WRITES  INTO  DIRECTORY  (INTREPRET ATIVE  WRITE) 

IF  WRITEDIR  (ASTE#)  = ERR_FLAG; 

THEN: 

RETURN  WITH  ERR_FLAG; 

END; 

/♦  IMPLEMENTATION  CHECKS 

/*  SEGMENT  MUST  EXIST 

IF  DIR_DIS K (OFFS ET)  = 0; 

THEN? 

RETURN  WITH  ERR_FLAG; 

END; 


*/ 

*/ 


♦/ 

*/ 


?/ 
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/*  SEARCH  FOR  DUPLICATE  A^nELEM^NT  ^ 

•INDEX  :=  DIR_ACL_HEAD(OFFSET)  ; 

CYCLE 

....  EXIT  WHEN  INDEX  = 0; 

IF  ((USSR  = (ACL  USER(INDEX)  G ACL_USER_i  ASK)  ) G (PROJECT  = AC  L_  PROJ  ECT  (I  NDEX ) ) 

) ; 

THEN: 

RETURN  WITH  ERR^FLAG; 

F.N  D ; 

INDEX  :=  ACL_CHAIN (INDEX) ; 

END; 

/♦  ALLOCATE  AN  ACL  ELSHENT  */ 

ACLE#  :=  ACL_CHAIN (0) ; 

IF  ACLE#  = 0; 

THEN: 

RETURN  WITH  ERR^FLAG; 

END; 

/♦  CHECKING  COMPLETE  - PFRFORM  STATE  CHANGE  */ 

ACL_CHAIN(0)  :=  ACL^CHAIN  (ACLE#)  ; 

/*  DETERMINE  CORRECT  POSITION  FOR  NEW  ACL  ELEMENT  V 

« 

POSITION  :=  0;  _ 

IF  DIR_ACL_HEAD  (OFFSET)  -»=  0; 

IF  ((USER  = ALL^USERS)  G (PROJECT  = ALL_PROJECTS) ) , 

THEN:  POSITION  :=  DIR_ACL_HEAD  (OFFSET)  ; 

CYC  LE 

exit  when  ACL_CHAIN  (POSITION)  = 0; 

POSITION  :=  ACL_CHAIN  (POSITION)  ; 

END  ; 

""^IF  ((DSEF  = ALL_0SEBS)  I (PROJECT  = ALL_PFOJECTS)  ) ; 

(ACL  USEB(DIB_ACL_HEAD(OFFSET))  6 ACL_OSEB_«ASK)  -=  ALL_OSEES: 
THEN:"" POSITION  :=  DIR_ACL_ HEAD  (OFFSET); 


...."exit  WHEN  (ACL_CHAIN  (POSITION)  = 0)  | ( ( ACL_USER  ( ACL_CH  AI N ( 

POSITION))  G ACL_USER^M  ASK)  = ALL^USERS)  ; 

POSITION  :=  acl_chain1position) ; 

END; 

FND; 


END; 


FND; 


FND  ; 
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/*  FILL  IN  NEW  ACL  ELF?1SNT  AND  ADD  TO  CHAIN 

ACL_USER  ( ACLF#)  :=  (USER  | PODE); 

ACL^PROJECT  (ACLE#)  :=  PROJECT; 

IF  POSITION  = 0; 

THEN:  ACL^CHAIN  (ACLE#)  :=  DI  R_ACL_H  EA  D ( OF  FSST)  ; 

DIR_ACL_HEAD  (OFFSET)  :=  ACLE#; 

ELSE:  ACL_CHAIN  (ACLE#)  :=  A CL_C  HAIN  (POS  IT  10  N ) ; 
ACL^CHAIN  (POSITION)  ACLE#; 

END  ; 

/♦  "GIVE”  MAY  RESCIND  ACCESS  RIGHTS 

IF  MODE  HRITE$READ$EXECUTR  ACCESS; 

THEN:  SOADD(ASTE#,  OFFSET);** 

END; 

RC  :=  OK_FLAG; 


3.2.6  Rescind  Access  (RESCIND) 


The  Rescind  Access  CPC,  RESCIND,  Is  a user  level  SKCPP  function 
that  Is  called  by  user  level  external  programs  with  the  parameters 
offset,  user,  and  project.  RESCIND  calls  only  kernel  level 
Internal  functions.  It  Is  written  In  Project  SUE  System  Language. 

3. 2. 6.1  Description 

RESCIND  moves  an  element  from  an  entry's  ACL  to  the  directory's 
free  element  chain.  If  WRITEDIR  shows  that  the  ASTE#  supplied  does 
not  Identify  a directory  to  which  the  process  has  write  access, 

RESCIND  returns  ERR_FLAG.  Otherwise,  RESCIND  searches  the  ACL  for 
an  element  such  that  ACL_USER( INDEX)  and  ACL_USER_MASK  equals  USER 
and  ACL_PR0JECT  equals  PROJECT,  starting  with  INDEX  set  to 

ACL HEAD (offset) . If  INDEX  Is  0,  the  end  of  the  list  has  been 

reached  without  finding  the  specified  element,  so  ERR_FLAG  Is  returned. 
If  the  element  Identified  by  INDEX  Is  the  one  specified,  RESCIND 
stops  Its  search;  otherwise  SAVE_LAST  Is  set  to  INDEX,  INDEX  Is 
reset  to  ACL_CHAIN (INDEX) , and  the  search  Is  continued. 

After  the  element  Is  found.  If  INDEX  equals  DIR_ACL_HEAD (OFFSET) 
DIR_ACL_HEAD (OFFSET)  Is  reset  to  ACL_CHAIN (INDEX) . If  not, 
ACL_CHAIN(SAVE_LAST)  Is  set  to  ACL_CHAIN (INDEX) . The  element  thus 
removed  Is  then  put  at  the  head  of  the  free  chain  by  assigning 
ACL_CHAIN ( INDEX)  the  value  of  ACL_CHAIN(0)  and  ACL_CHAIN(0)  the  value 
of  INDEX.  SOADD  Is  called  to  remove  the  entry  from  the  work  spaces 
of  processes  whose  access  rights  have  been  limited  by  RESCIND. 

RESCIND  then  returns  with  RC  set  to  OK  FLAG. 
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Function:  RESCIND 

Parameters:  RESCIND(process// , aste#,  offset,  user_id, 

project__id) 

Effect: 

IF  not  AST^WAL (aste?/ , process#)^ 

(AST_TYPE(aste//)  + DIRECTORY) 

(DIR__SIZE(aste//,  offset)  = 0) 

not  PUP ACL (aste#,  ’DIR_ACL_JIEAD'  (aste#,  offset),  user_id, 
project_id) ; 

THEN:  RC (process#)  = NO; 

ELSE:  Let  acle#  = FINDACLE(aste#,  ’DIR_ACL_HEAD' (aste#, 
offset),  user_id,  project_id; 

IF  acle#  = ’DIR__ACL__HEAD’ (aste# , offset); 

THEN:  DIR_ACLE_HEAD(aste#,  offset) 

ACL_CHAIN(aste#,  acle#); 

ELSE:  Let  pacle#  = FINDPLACE(acle#) ; 

*DIR_ACL_HEAD' (aste#,  offset),  acle#); 
ACL_CHAIN(aste#,  pacle#)  = ' ACL_CHAIN’ (as te# , acle#); 

END; 

Function:  FINDACLE 

Parameters:  FINDACLE (aste#,  acle#,  user_id,  project_id) 

Value : 

IF  (ACL_USER(aste#,  acle#)  = user__id)& 

(ACL_PR0JECT(a3te,  acle#)  = project_id); 

THEN:  acle#; 

ELSE:  FINDACLE (aste#,  ACL_CHAIN(aste# , acle#),  user_id, 

project__id) ; 

END: 

Function:  FINDPACLE 

Parameters:  FINDPACLE (aste#,  vacle#,  acle#) 

Value: 

IF  ACL__CHAIN(aste , vacle#)  = acle#; 

THEN:  vacle#; 

ELSE:  FINDPACLE (aste#,  ACL_CHAIN (aste# , vacle#,),  acle#); 

END: 


3. 2. 6. 2 N/A 

3. 2. 6. 3 Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  WRITEDIR 

SOADD 
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3. 2.6. 4  Data  Organization 


Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  RESCIND.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


DIR_ACL_HEAD  ASTE// 

ACL__USER  OFFSET 

ACL_PROJECT  USER 

ACL  CHAIN  PROJECT 


INDEX 

SAVE_LAST 

RC 


Constants 

ALL_USERJiASK 

ERR_FLAG 

OF_FLAG 

3. 2.6.5  Limitations 


RESCIND  returns  ERR_FLAG  if  the  ASTE//  supplied  does  not  identify 
a directory  to  which  the  process  has  write  access  or  if  ACL_USER  and 
ACL_USER_MASK  does  not  match  the  USER  specified  and  ACL^JPROJECT  does 
not  match  the  PROJECT  specified.  Otherwise,  RC  = OK__FLAG  . 

3. 2.6.6  Listing 

DATA  RESCIND(ASTE#,  OFFSET,  USER,  PROJECT)  RETURNS  (RC)  ; 


PROGRAM  RESCIND; 

DECLARE 

WORD  (INDEX,  SAVE^LAST)  ; 

/♦  SECURITY  CHECKS  FIRST 

/♦  RESCIND  IS  INTERPRETATIVE 

IF  WR ITEDIR  (ASTE  i^)  = ERR_FLAG; 
THEN: 

....  RETURN  WITH  ERR_FLAG;' 

END; 


DIRECTORY 


WRITE 


♦/ 

♦/ 
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I^PLEMFNT  ATION  CHECKS 


/* 


/*  SEARCH  FOP  SPECIFIED  ACL  ELEMENT 
INDEX  :=  DXR_ACL_HEAD(OFFSET)  ; 

CYCLE 


♦/ 


IF  INDEX  = 0; 

THEN: 

RETURN  WITH  ERR_FLAG; 

END; 

IF  ((USFR  = (ACL_USSR (INDFX)  & ACL_USER_MASK) ) & (PROJFCT  = ACL^PROJECT (IN DEX) ) 
THEN: 

EXIT; 

END; 

SAVE_LAST  :=  INDEX; 

INDEX  :=  ACL_CHAIN  (INDEX) ; 

END  ; 

/*  CHECKING  COMPLETE  - PERFORM  STATE  CHANGE  ♦/ 

/*  REMOVE  FOUND  ACL  ELEMENT  FROM  CHAIN  */ 

I?  INDEX  = DTR_ACL_HEAD (OFFSET) ; 

THEN;  DIR_ACL_HEAD(OFFSET)  :=  ACL  C HA  IN  ( INDEX)  ; 

ELSE;  AClIchAIN  (SAVE  LAST)  :=  ACl'chA  IN  ( I NDEX)  ; 

END; 

/*  AND  PUT  ON  FREE  CHAIN 

ACL_CHAIN  (INDEX)  :=  ACL  CHAIN  (0)  ; 

ACL_CHAIN(0)  :=  INDEX; 

/*  NOW  FOR  THE  MESSY  PART 

SOADD(ASTE#,  OFFSET);  /*  SEARCH  OUT  AND  DESTROY  DESCRIPTORS  */ 

RC  ;=  OK^FLAG; 


3.2.7  Get  Write  Access  (GETW) 


♦/ 


*/ 


The  Get  Write  Access  CPC,  GETW,  is  a user  level  SKCPP  function 
that  is  called  by  one  other  user  level  external  function  and  by  user 
level  external  programs  with  the  parameters  seg#  and  offset.  GETW 
calls  only  kernel  level  internal  functions*  It  is  written  in  Project 
SUE  System  Language. 

3.2. 7.1  Description 

GETW  gets  write  access  to  a segment  if  security  requirements  are 
met.  It  calls  DSEARCH  which  returns  ERR_FLAG  if  the  user  does  not 
have  WRITE$READ$EXECUTE_ACCESS  according  to  the  ACL.  If  DSEARCH 
returns  ERR_FLAG,  GETW  returns  with  ERR_FLAG. 

If  PS_CURRENT_PROCESS  does  not  equal  EXEC_PROCESS# , the  process 
is  not  trusted  and  the  property  mustbe  enforced.  The  ^-property 
requires  that  all  objects  to  which  a subject  has  write  access  have 
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the  same  security  level  and  that  all  objects  to  which  it  has  read 
access  have  a security  level  less  than  or  equal  to  the  write 
security  level.  Thus,  if  PS_^CUE._CLASS  is  not  identical  to 
DIR__CLASS)OFFSET)  and  DIR__CLASS__MASK  or  if  PS_CUR__CAT  is  not 
identical  to  DIR__CAT (OFFSET)  GETW  returns  with  ERR__FLAG. 

If  PS__CURRENT__PROCESS  does  not  equal  EXEC_PROCESSy/ , the  process 
is  trusted  and  only  the  preservation  of  security  need  be  enforced. 

If  PS_CUR_CLASS  is  less  than  DIR_CLASS  (OFFSET)  and  DIR__CLASS  MASK 
or  if  PS_CUR__CAT  is  not  equal  to  DIR_C AT  (OFFSET)  or  PS__CUR_CAT, 

GETW  returns  with  ERR__FLAG. 

Security  checking  complete,  GETW  calls  CONNECT.  If  the  process 
is  not  already  connected  to  the  seg  and  has  a free  seg#,  the 
segment  is  activated  if  necessary  and  the  process  is  added  to  the 
CPL  and  the  WAL  of  the  ASTE.  GETW  returns  the  seg#  with  which  the 
process  can  identify  the  segment. 

Function:  GETW 

Parameters:  GETW(process#,  aste#,  offset) 

Effect: 

IF  (ASTE__TYPE(aste#  ^ DIRECTORY)! 

(DIR_SIZE(aste#,  offset)  = 0)1 

not  DSEARCH(process#,  aste#,  DIR_ACL__HEAD (aste#,  offset), 

WRITE) ; 

THEN:  RC (process#)  = NO; 

ELSE: 

IF  PS_TYPE (process#)  = TRUSTED; 

THEN: 

IF  (PS_CUR__CLASS  (process#)  , < DIR_CLASS  (aste# , offset))! 

(PS_CUR_CAT (process#) ^ DIR_CAT (aste# , offset) ) ; 

THEN:  RC (process#)  = NO; 

ELSE:  CONNECT (process#,  aste#,  offset,  WRITE); 

END; 

ELSE: 

IF  (PS_CUR_CLASS (process#)  i DIR_CLASS (aste# , offset) )| 

(PS_CUR__C  AT  (process#)  i DIR__CAT  (aste#,  offset)); 

THEN:  RC  (process#)  = NO; 

ELSE:  CONNECT (process#,  aste#,  offset,  WRITE); 

END; 

END; 

END; 

3.2.7. 2 N/A 
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3. 2. 7. 3 


Interfaces 


Called  By  Calls 

STARTP  DSEARCH 

PCHECK  CONNECT 

3.2. 7.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  function  GETW.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraps  3.3.1. 

For  constants  refer  to  Table  I,  List  of  constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

PS_CURRENT_PROCES  S ASTE# 

PS_CUR_CLASS  OFFSET 

PS_CUR_CAT 

DIR_CLASS 

DIR_CAT 

Constants 

DIR_CLASS_MASK 

ERR_FLAG 

EXEC_PROCESS// 

\<JRITE$READ$EXECUTE_ACCESS 

3. 2. 7.5  Limitations 

GETW  returns  ERR_FLAG  If  the  user  does  not  have  WRITE$READ$ 
EXECUTE_ACCESS  to  the"”segment , if  PS_CURRENT_PROCESS  does  not  equal 
EXEC_PROCESS//  or  if  PS_CUR_CLASS  and  PS_CUR_CAT  does  not  match 
DIR_CLASS  and  DIR_CAT.  Otherwise,  RC  = seg#. 

3. 2. 7. 6 Listing 


DATA  GETW  (AST?'*,  OFFSET)  RETURNS  (RC); 
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PR 0GB An  GETW; 


/*  SECURITY  CHECKS  FIRST 

/*  SEARCH  DIRECTORY  ACL 

IF  DSEARCH  (ASTE#,  OFFSET,  WRI TE $R EAD$E XECUTE, ACCESS)  = ERR.FLAG; 
THEN: 

return  WITH  ERR_FLAG; 

END; 

IF  PS_CUPPENT_PROCESS  -«=  EXEC^PROCESS  # ; 

THEN: 

/*  CHECK  FOR  PRESERVATION  OF  SECURITY  AND  * -PROPERTY 

IF  PS  CUR_CLASS  -^=  (DIR_CLASS  (OFFSET)  & DIR^CLAS S_K AS K)  ; 
THEN: 

RETURN  WITH  ERR^FLAG; 

END; 

IF  PS_CUR_CAT  -=  DIR_CAT(OFFSET)  ; 

THEN: 

return  with  ERR_FLAG; 

END; 

ELSE: 

IF  PS  cn?_CLASS  < (DIR_CLASS  (OFFSET)  & D IR_C  LA  SS^HAS  K ) ; 
THEN: 

RETURN  WITH  ERR^PLAG; 

END; 

IF  PS  CUR  CAT  "•=  ( DI R_^CAT  (OFFSET)  t PS__CUR__CAT)  ; 

THEN: 

. RETURN  WITH  ERR_FLAG; 

END; 

END; 

/*  inPLFMENT  ATION  CHECKS 

/*  CONNECT  PROCESS  TO  AST  ENTRY  FOR  THIS  SEGMENT 
RC  :=  CONNECT  (ASTE#,  OFFSET,  WR  IT  E$  READS  EXECUTE^ACCESS)  ; 


3.2.8  Get  Read  Access  (GETR) 


*/ 

♦/ 


♦/ 


♦/ 

♦/ 


The  Get  Read  Access  CPC,  GETR,  is  a user  level  external  SKCPP 
function  that  is  called  by  one  other  user  level  external  function 
and  by  user  level  external  programs  with  the  parameters  seg#  and 
offset.  GETR  calls  only  kernel  level  internal  functions.  It  is 
written  in  Project  SUE  System  Language. 

3. 2. 8.1  Description 

GETR  gets  access  to  a segment  identified  by  aste#,  offset  for 
a process,  if  security  requirements  are  satisfied.  It  calls  DSEARCH 
which  scans  the-  ACL  of  the  segment  and  returns  ERR^FLAG  if  the 
process  lacks  READ$EXECUTE_jACCESS . If  DSEARCH  returns 
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ERR_FLAG,  GETR  returns  with  ERR_FLAG.  GETR  then  checks  the  preser- 
vation of  security.  If  PS_CUR_CLASS  is  less  than  DIR_CLASS (OFFSET) 
and  DIR_CLASS__MASK  or  or  if  PS_CUR_CAT  does  not  equal  DIR  CAT (OFFSET) 
or  PS__CUR_CAT,  ERR_FLAG  is  returned.  “ 


Otherwise,  security  checking  is  complete,  and  CONNECT  is  called. 
It  adds  the  process  to  the  CPL  of  the  segment's  ASTE  and  returns  its 
seg#  if  the  process  is  not  already  connected  to  the  segment  and 
has  a free  seg#.  GETR  then  returns  with  the  seg#  which  the  process 
can  subsequently  use  to  refer  to  the  segment. 

Function:  GETR 

Parameters;  GETR(process#,  aste#,  offset) 

Effect : 

IF  (AST_TYPE(aste//)  = DIRECTORY)! 

(DIR_SIZE(aste#,  offset)  = 0)1 

not  DSEARCH(process//.  aste//,  DIR_ACL_HEAD (aste// , offset), 
READ)! 

(PS_CUR_CLASS  (process//)  < DIR_CLASS  (aste// , offset))  | 
(PS_CUR_CAT (process//)  ^ DIR__CAT (aste//,  offset)); 

THEN:  RC  (process//)  = NO; 

ELSE:  CONNECT  (process//,  aste,  offset,  READ); 

END; 

3. 2. 8. 2 N/A 

3.2.8. 3 Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

STARTP  D SEARCH 

PCHECK  CONNECT 

3. 2. 8. 4 Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  GETR.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 

Data  Base  References 

Global  References  Function  Parameters  Local  References 

PS_CUR_CLASS 
PS  CUR  CAT 


ASTE# 

OFFSET 
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Global  References 


Function  Parameters 


Local  References 


DIR_CLASS 

DIR_CAT 

Constants 

DIR_CLASS_MASK 

ERR_FLAG 

PJi:An$EXFCUTE_ACCESS 

3.2. 8.5  Limitations 

GETR  returns  ERR_FLAG  if  the  process  does  not  have  READ$ 
EXECUTE_ACCESS  to  the  segment  or  if  PS_CUR_CLASS  and  PS_CUR_CAT 
do  not  match  DIR_CLASS  and  DIR_CAT.  Otherwise,  RC  = seg#. 

3. 2. 8. 6 Listing 


DATA  GETR(ASTE#,  OFFSET)  RETURNS  (RC) ; 

PROGRAM  GETR; 

/*  SECURITY  CHECKS  FIRST 

/*  SEARCH  DIRECTORY  ACL 

IF  DSFARCH  (ASTE # , OFFSET,  READ$EXECUTE_ACCESS)  = ERR^FLAG; 
THEN: 

RETURN  WITH  ERR_FLAG; 

END; 

/♦  CHECK  FOR  PRESERVATION  OF  SECURITY  AND  ♦ -PROPERTY 

IF  PS_CUR_CLASS  < (DI R_C L A S S ( OF FS ET)  E DI R_CL ASS_M A SK ) ; 
THEN: 

....  RETURN  WITH  FRR_FLAG; 

END; 

IF  PS_CUP_CAT  -=  (DIR_CAT  (OFFSET)  | PS_CUR_CAT)  ; 

THEN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

/*  IMPLEMENTATION  CHECKS 

/♦  CONNECT  PROCESS  TO  AST  ENTRY  FOR  THIS  SEGMENT 
RC  :=  CONNECT (ASTE# , OFFSET,  PEAD$EXECUTE_ACCESS) ; 


3.2.9  Release  Segment  (DCONNECT) 

The  Release  Segment  CPC,  DCONNECT,  is  a user  level  external 
SKCPP  function  that  is  called  by  user  level  external  functions,  one 
kernel  level  internal  function,  and  by  user  external  programs  with 


♦/ 

♦/ 


♦/ 


♦/ 

*/ 
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the  parameter  seg#.  DCOMECT  calls  only  one  kernel  level  internal 
function.  This  function  is  unique  in  that  it  is  known  by  two 
names:  external  to  the  Security  Kernel  by  RELEASE  and  internal  to 

the  Security  Kernel  by  DCOMECT.  The  rationale  being  the  nomenclature 
RELEASE  matches  a function  in  the  mathematical  model  (reference  2.1a) 
where  as  the  procedure,  while  being  true  to  the  mathematical  model, 
is  the  logical  inverse  of  the  internal  procedure  CONNECT.  DCONNECT 
is  written  in  Project  SUE  Language. 

3. 2. 9.1  Description 

DCONNECT  releases  a segment  from  the  process’s  WS  as  long  as  the 
seg//  Xs  valid.  It  sets  BLOCK#  to  AST_ADR(ASTE#) , which  holds  the 
main  memory  address  of  the  segment,  if  any,  or  zero.  If  BLOCK#  is 
not  zero  and  AST_UNLOCK(ASTE#)  and  AST_UNLOCK_MASK  does  not  equal 
AST_UNLOCK_FLAG,  the  segment  is  in  the  AS  of  the  process  and  must  be 
disabled.  In  this  case,  starting  with  REG#  set  to  zero  until 
REG#  equals  REG#_MAX,  DCONNECT  tests  if  PS_SAR(REG#)  equals  BLOCK#. 

If  so,  DISABLE  can  be  called  to  remove  the  segment  identified  by  REG# 
from  the  AS. 

The  process  can  now  be  disconnected  from  the  segment.  AST_CPL 
(ASTE#)  is  assigned  the  logical  and  of  PS_PROCESS_NOTMASK,  which 
consists  of  all  one’s  except  for  the  bit  corresponding  to  the 
process#,  and  AST_CPL(ASTE#) . Similarly,  AST_WAL (ASTE#)  is  assigned 
PS_PROCESS_NOTMASK  and  AST_WAL (ASTE#) . 

If  the  WAL  is  empty  DCONNECT  must  free  any  processes  that  are 
blocked  on  the  segment  semaphore,  since  P and  V require  write 
access  to  the  segment.  Thus,  if  AST_WAL (ASTE#)  equals  zero  and 
AST_CPL(ASTE#)  and  WIRED_DOWN_MASK  does  not  equal  WIREDJDOWN, 

DCONNECT  calls  V repeatedly  while  SMFR_COUNT  is  negative.  On 
exiting  this  loop,  SMFR_COUNT(ASTE#)  is  set  to  1 and  SMFR_POINTER 
(ASTE#)  is  set  to  0. 

If  AST_CPL(ASTE#)  = 0,  the  segment  is  not  in  the  working  space 
of  any  process.  Therefore,  DCONNECT  sets  AST_AGE_CHAIN(ASTE#)  to 
AST_AGE_CHAIN(0)  and  AST_AGE_CHAIN(0)  to  ASTE#. 

Finally,  DCONNECT  puts  SEG#  on  the  chain  of  free  segment 
numbers;  PS_SEG(SEG#)  is  set  to  PS_SEG(0)  and  PS_SEG(0)  is  reset  to 
SEG#  or  SEG  FLAG. 
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Function:  RELEASE 

Parameters:  RELEASE  (process//,  aste//,  seg//) 

Effect : 

Let  block//  = ' AST_ADR' (aste//)  ; 

IF  (block#  ^ 0); 

THEN; 

(Vreg//)  (REG//_MTN  <reg//<  REG_MAX)  & 

IF  ( 'PS_SAR' (process//,  reg//)  = block//); 

THEN:  DISABLE(process//,  reg//); 

END; 

END; 

END; 

AST_CPL(aste//,  process//)  = FALSE; 

AST_WAL(aste//,  process//)  = FALSE; 

IF  not  (:ii)  (PROCESS//_MIX  <i  <PROCESS//_MAX)  & 

(AST_CPL(aste//,  i)  = TRUE)); 

THEN:  AST  (aste//); 

END; 

PS_SEG (process//,  seg//)  = 'PS_SEG' (process//,  0); 

PS_SEG(process// , 0)  = seg//; 

PS_SEG_INUSE (process//,  seg//)  = FALSE; 

3. 2. 9. 2 N/A 

3. 2.9. 3 Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  DISABLE 

STARTP 

STOPP 

SOADD 

3.2.9. 4.  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DCONNECT.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 

PS_SAR  SEG//  BLOCK# 

PS_SEG  ASTE#  REG# 

AST_ADR 

ASTJJNLOCK 

AST_CPL 

ASTJWAL 

AST_AGE_CHAIN 

SMFR_COUNT 

SMFR_POINTER 

Constants 


ASL 

AST_UNLOCK_FLAG 

BLOCKED 

REG#_MAX 

SEG_FLAG 

WIRED_DOWN 

WIRED  DOWN  MASK 


3 . 2 . 9 • 5 Limitations 


None 


3-2.9. 6 Listing 

DATA  DCONNECT  (SKG#,  ASTE#); 

PRCGRAM  DCONNBCT; 

DECLARE 

WORD  (BLOCK#,  REG#^; 

/♦  PROCESS  MUST  NOT  HAVE  ANY  DESCRIPTORS  ON  SEGMENT  LOCKED  IN  ♦/ 

BLOCK#  :=  AST_ADR  (ASTE#)  ; 

IF  (BLOCK#  0)  r,  ( ( A'ST_UMLOCK  (ASTE#)  S AST_0N  LOC  K_MAS  K)  -t=  AST_ONLOCK  FLAG); 

THEN: 

/♦  MY  BLOCKS  TO  THEIRS  ♦/ 

INLINE(ASL,  BLOCK#)  ; 

INLINE  (AS  L,  BLOCK#)  ; 

DO  REG#  :=  0 TO  PEG#_MAX; 

IF  PS_SAR(REG#)  = BLOCK#; 

THEN:  DISABLE  (RFG#)  ; 

END; 


END; 


END; 
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DISCONNPCT  THIS  PROCESS 


V 


/* 

AST_CPL  (ASTR#)  :=  ( AST_CPL  ( A STE  #)  6 PS  PROCESS_NOTnASK)  ; 

AST_WAL  (ASTE#)  :=  (AST_WAL  (ASTE#)  6 PsIprOCESS_NOTM ASK)  ; 

/♦  RESET  SEMAPHORES  FOR  SEGMENT  WITH  EMPTY  WRITS  ACCESS  LIST  ♦/ 

IF  (AST^WAL  (ASTE#)  - 0)  & ( ( AST_CPL  ( ASTE#)  6 WIRED  DOWN_MASK)  -i=  WIRED  DOWN); 

THEN:  /♦  FREE  PROCESSES  BLOCKED  ON  THE  SEGMENT  SEMAPHORE  V 

CYCLE 

EXIT  WHEN  SMFR_COUNT(ASTE#) >=  D; 

V (ASTE#)  ; 

END; 

SMFR_COUNT  (ASTE#)  :=  1; 

SMFR_POINTER  (ASTE#)  :=  0; 

END; 

/♦  AGE  IF  THIS  IS  THE  LAST  PROCESS  TO  DISCONNECT  ♦/ 

IF  AST_CPL(ASTE#)  = 0; 

THEN?  AST_AGE_CHAIN  (ASTE#)  :=  AST_AGE  CHA  IN  (D)  ; 

AST_AGE_CHAIN(0)  ;=  ASTE#; 

END; 

/♦  PUT  SEG#  ON  FREE  CHAIN  ♦/ 

PS_SEG(SEG#)  ;=  PS_SEG  (0)  ; 


3.2.10  Enable  (ENABLE) 

The  Enable  CPC,  ENABLE,  is  a user  level  external  SKCPP  function 
that  is  called  by  other  user  level  external  functions  and  by  user 
level  external  programs  with  the  parameters  seg#  and  reg#.  ENABLE 
calls  only  kernel  level  Internal  functions.  It  is  written  in  Project 
SUE  System  Language,  including  the  Inline  feature. 

3.2.10.1  Description 


ENABLE  moves  a segment  from  a process's  WS  to  its  AS  if 
implementation  constraints  are  satisfied.  If  REG#  is  greater  than 
CR0SS_REG#,  it  sets  P_REG#  to  REG#  + REG_CONSTANT;  otherwise  it 
sets  P_REG#  to  REG#. 

If  PS_SAR(REG#)  is  not  0,  the  register  specified  is  not  free 
and  ENABLE  returns  with  ERR_FLAG.  It  next  tests  whether  sufficient 
space  in  the  user's  memory  is  available.  If  the  logical  and  of 
AST_CPL(ASTE#)  and  WIRED_DOWN_MASK  does  not  equal  WIRED_DOWN  and 
AST_SIZE(ASTE#)  is  greater  than  PS_MEM_QUOTA,  ENABLE  returns  with 
ERR_FLAG.  If  not,  implementation  checks  are  complete. 

ENABLE  then  insures  that  the  segment  is  in  main  memory  by  calling 
SWAPIN  if  AST_ADR(ASTE#)  is  zero.  If  AST_UNLOCK(ASTE#)  and 
AST_UNLOCK_MASK  equals  AST_UNLOCK_FLAG,  the  segment  is  currently 
eligible  to  be  swapped  out  of  main  memory  and  must  be  removed  from 
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the  swap  chain.  Starting  with  INDWX  set  to  0,  ENABLE  repeatedly 
sets  NEXT  to  AS T__SWAP_CHAIN (INDEX)  and  INDEX  to  NEXT,  leaving  the 
loop  upon  setting  NEXT  to  ASTE#.  It  then  assigns  to  AST__SWAP_CHAIN_ 
(INDEX)  the  value  of  AST_SWAP_CHAIN  (ASTE//) , to  ASTJDES_COUNT  (ASTE//) 
the  value  zero,  and  to  AST_UNLOCK(ASTE//)  the  logical  and  of 
AST_UNLOCK(ASTE//)  and  AST_LOCK_MASK. 

To  determine  the  mode  of  access,  ENABLE  calculates  the  logical 
and  of  AST_TYPE(ASTE//)  and  AST_TYPE_MASK.  If  this  equals 
ASTJTYPEJDIRECTORY  MODE  is  set  to  zero.  Otherwise,  if  AST_WAL_(ASTE//) 
and  P _PROCESS_MASK  equals  zero  MODE  is  set  to  SDR__READ_ACCESS ; 
if  not,  MODE  is  set  equal  to  SDR_WRITE_ACCESS . 

Sets  priority  level  high  through  the  Inline  feature,  and  LSD 
is  called  to  construct  the  descriptors  and  store  them  in  the  appropr- 
iate segmentation  registers.  If  PS_CURRENT_PROCESS  is  THE__CURRENT_ 
PROCESS,  ENABLE  loads  the  hardware  registers  as  well:  SDR(P_REG//) 
is  assigned  PS_SDR(REG//)  and  SAR(P__REG//)  is  assigned  PS_SAR(REG//)  . 

To  complete  the  operation,  sets  priority  level  low  through  the 
Inline  feature,  and  AST_pES_COUNT (ASTE//)  is  incremented  if 
ASTJDES_COUNT(ASTE//)  is  incremented.  If  AST_CPL (ASTE//)  and 
WIRED_DOWN_MASK  does  not  equal  WIRED_DOWN,  the  user’s  memory  space, 
PS_MEM_QUOTA  is  diminished  by  AST_SIZE(ASTE//) . ENABLE  then 
returns  RC  set  equal  to  OK_FLAG. 

Function:  ENABLE 

Parameters:  ENABLE  (process//,  reg//) 

Effect: 

Let  size  = AST_SIZE  (aste//) ; 

IF  (PS_SAR (process//,  reg//)  0)1 

((AST__WIRED_DOWN(aste//)  = OFF)  & 

(size  >’PS_MEM_QUOTE’  (process//)) ; 

THEN:  RE  (process//)  = NO; 

ELSE: 

IF  ’AST_ADR’ (ASTE//)  = 0; 
tHEN:  SWAPIN(aste//) ; 

END; 

IF  ’AST_L0CK’ (aste//)  = UNLOCKED; 

THEN:  LOCK  (as  te//)  ; 

END; 
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IF  AST_TYPE(aste#)  = DIRECTORY 
THEN:  Let  mode  = NO; 

ELSE: 

IF  AST_WAL(aste#,  process#)  = TRUE; 

THEN:  Let  mode  = WRITE; 

ELSE:  Let  mode  = READ; 

END: 

END; 

LSD(AST_ADR(aste#) , regy/,  mode); 

IF  AST_WIRED_DOWN(aste#)  = OFF; 

THEN:  PS_MEM_QUOTA (process#)  = 'PS_MEM_QUOTA' (process#)  - 

size ; 

END; 

ASTJ)ES_COUNT(aste#)  = ’ AST_DES_COUNT(aste#)  + 1; 

RC  (process#)  = YES 

3.2.10.2  N/A 

3.2.10/3  Interfaces 

Refers  to  Figure  6,  Function  Call  Matrix 

Called  By  Calls 

PCHECK  SWAP IN 

STARTP  LSD 

3.2.10.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  ENABLE.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References 

PS_SAR 

PS_SDR 

PS_MEM_QUOTA 

PS_PROCESS_MASK 

P S_CURRENT_PROCE  S S 

AST_ADR 

AST_UNLOCK 

AST_SWAP_CHATN 

AST  DES  COUNT 


Function  Parameters 

ASTE# 

REG# 


Local  References 

P_REG# 

MODE 

REG_ADR 

INDEX 

NEXT 

RC 
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Global  References 


Function  Parameters 


Local  References 


AST_TYPE 

SDR 

SAR 

THE  CURRENT  PROCESS 


Constants 


AST_LOCK_MASK 

AST_TYPE_DIRECTORY 

AST_TYPE_MASK 

AST_UNLOCK_FLAG 

AST_UNLOCK_MASK 

CR0SS_REG# 

ERR_FLAG 
OK  FLAG 


PS_SDR_ADR 
REG_CONSTANT 
SDR_READ_ACCESS 
SDR_WRITE_ACCE S S 
SPLHIGH 
SPLLOW 
WIRED_DOWN 
WIRED  DOWN  MASK 


3.2.10.5  Limitations 


ENABLE  returns  ERR_FLAG  if  PS_SAR(REG#)  is  not  0,  if 
and  WIRED_DOWN_MASK  does  not  equal  WIRED_DOWN  and  if  AST 
is  greater  than  PS_MEM_QU0TA.  Otherwise,  RC=0K_FLAG. 

3.2.10.6  Listing 

DATA  ENABLE  (ASTF*,  RFC.#)  PFTORNS  (FC); 


PRCfiRAN  ENABLE; 

DECLARE 

WORD  (P_FEGA,  NODE,  BEG_ADR,  INDEX,  NEXT); 

IF  REG»  > CROSS^RFG#; 

THEN:  P_REG#  7=  REG»  ♦ REG^CONSTANT; 

FLSE:  P^P^'G#  ;=  REGt; 

END; 

/*  REGISTER  flUST  BF  FREE 

IF  PS_S\R(PEG«)  0; 

THEN: 

RETURN  WITH  KRR^FLAG; 

/*  SPACE  TW  USER'S  MEMORY  MUST  BF  AVAILA3L'=‘ 

IF  { { AST_CPL  ( ASTE#)  S W IR  ED_DOWN_M  ASK  ) -•=  WIRED^DOWN)  S { AST^SI  ZE  ( AST  S#) 

PS_MFM_OUOT  A)  : 

THEN; 

....  RETURN  WITH  FRR_FLAG; 

END; 


AST_CPL (ASTE#) 
SIZE (ASTE) 


*/ 


♦/ 
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/*  SWAPIN  IF  NECESSARY 

IF  AST^ADR  ( ASTF#)  = 0; 

THEN:  SWAPIN  (ASTE#)  ; 

END; 

/*  REMOVE  FROM  SWAP  CHAIN  IF  NEC’^SSARY 

IF  {AST_UNLOCK{ASTE#)  & AST_UNLOC K_M AS K)  = AST_UNLOCK_ELAG; 

THEN:  INDEX  : = 0; 

C YC  L E 

NEXT  :=  AST_SWAP_CHAIN  (INDEX)  : 

....  EXIT  WHEN  NEXT  ='“aSTE#; 

INDEX  :=  NEXT; 

END; 

AST_SWAP_CHAIN (INDEX)  :=  AST_S W A P_CHA IN ( A STE # ) ; 

AST"’dES  C0UNT(ASTE#)  :=  0; 

AST'iINLOCK  (ASTE#)  :=  (AST_UNL0CK(ASTF#)  6 AST^LOCK^MASK)  ; 

END; 

/♦  DETERMINE  TYPE  OF  ACCESS  PERMITTED 

IE  (AST  TYPE  (ASTE#)  & A ST_TYPE_MASK)  = AST_TY  PF^DIRECTO RY ; 

THEN:”’mODE  :=  0;  /*  DIRECTORY  ACCESSES  MOST  BE  INTERPRETIVE  ♦/ 
E LS  E : 

IF  (AST_.WAL  (ASTE#)  S PS_PROCESS_MASK)  = 0; 

then:”’mode  :=  sdr_read_access; 

ELSE:  MODE  :=  SDr”wRITE_ACCESS; 

EN  D; 

END; 

/*  LOAD  SEGMENT  DESCRIPTOR 

INLINE  (SPLHIGH)  ; 

LSD(ASTE#,  PS_SDR_ADR  + REG#  + REG#,  MODE); 

/*  IF  THIS  IS  THE  CURRENT  PROCESS  LOAD  HARDWARE  PEGS  ALSO 

IF  PS_CURRFNT_PPOCFSS  = THE  CURRENT  PROCESS’ 

THEN:  SDR(P_REG#)  : = PS_  SDR  (PEG  #)  ; 

SAR(P_PEG#)  :=  PS_SAR  (PEG#)  ; 

END; 

INLINE(SPLLOW)  ; 

/*  INCREMENT  DESCRIPTOR  COUNT 

AST_DES_COUNT  (AST  R#)  :=  AST_ DES_COUN T ( AST  F#  ) 1; 

/*  ADJUST  UST^R'S  QUOTA 

IF  (AST_.CPL(ASTF#)  G W I R ED_  DO  WN_  M AS  K)  WIPED_DOWN; 

THEN:  PS_MEM_QnOTA  :=  ?S_MEM  QUOTA  - AST  S IZ  F.  (A  STE  # ) ’ 

END;  -Vi. 

RC  :=  OK_FLAG; 

3.2.11  Disable  (DISABLE) 


*/ 


♦/ 


*/ 


*/ 


*/ 


The  Disable  CPC,  DISABLE,  is  a user  level  external  SKCPP  function 
that  is  called  by  other  user  level  external  functions  and  by  user 
level  external  programs  with  the  parameter  reg//.  It  is  Witten  in 
Project  SUE  System  Language,  including  the  Inline  feature. 
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3.2.11.1  Description 


DISABLE  removes  a segment  from  AS.  It  sets  BLOCK#  to 
PS_SAR(REG#) . If  BLOCK#  equals  zero,  the  register  REG#  contains  no 
descriptor  and  DISABLE  has  no  effect.  If  not,  BLOCK#  contains  the 
storage  address  of  the  segment  with  the  6 least  significant  bits 
omitted.  Since  the  MBT  omits  the  8 least  significant  bits  of  the 
address,  two  ASR  (arithmetic  shift  right)  commands  are  executed 
(using  Inline  code)  on  BLOCK#.  DISABLE  then  finds  the  ASTE#  of  the 
segment.  If  BLOCK#  is  less  than  END  BLOCK#,  ASTE#  is  assigned  MBT 
(BLOCK#).  Otherwise,  each  value  from  ASTE#_MIN  to  ASTE#_MAX  is 
tested  until  one  is  found  such  that  AST_ADR(ASTE#)  equals  BLOCK#. 

The  priority  level  is  then  set  high  (using  Inline  code)  and 
the  descriptor  destroyed  by  setting  PS_SDR(REG#)  and  PS_SAR(REG#) 
to  0.  If  PS_CURRENT_PROCESS  is  THE_CURRENT_PROCESS , the  hardware 
segmentation  registers  are  also  cleared,  as  follows.  If  REG#  is 
greater  than  CROSS_REG#,  REG^CONSTANT  is  added  to  REG#.  Next,  if 
SDR(REG#)  and  SDR_CHANGE_MASK  equals  SDR_CHANGED,  the  change  bit  is 
set,  and  AST_CHANGE(ASTE#)  is  reset  to  AST_CHANGE(ASTE#)  or 
AST__CHANGED.  SDR  (REG#)  and  SAR(REG#)  are  then  zeroed  and  the 
priority  level  is  set  to  low  using  Inline  code. 

AST__DES__COUNT (ASTE#)  is  then  decremented,  and  if  the  segment  is 
wired  down,  DISABLEing  is  complete.  If,  however,  AST_CPL (ASTE#)  and 
WIRED_DOWN_MASK  equals  0,  the  segment  may  be  eligible  for  swapping 
out.  If  AST__DES_COUNT (ASTE#)  is  0,  the  segment  is  added  to  the  head 
of  the  swap  chain  by  setting  AST__SWAP_CHAIN(ASTE#)  to  AST_SWAP__CHAIN(0) 
and  AST_SWAP__CHAIN(0)  to  ASTE#.  The  segment  is  also  unlocked  in  this 
case  by  resetting  AST _UNLOCK(ASTE#)  to  the  logical  or  of  AST_JJNLOCK 
(ASTE#)  and  AST_l)l\[LOCk_FLAG  >the  DISABLE  function  is  then  com- 
pleted by  crediting  PS_MEM_QUOTA  with  AST_SIZE(ASTE#) . 

Function:  DISABLE 

Parameters : DISABLE (process# , reg#) 

Effect : 

IF  PS_SAR(process# , reg#)  0; 

THEN:  Let  block#  = ’PS_SAR’ (process#, reg#) ; 

Let  aste#  = MBT_ASTE (block#) ; 

AS T_CHANGE (block#)  = 'AST_CHANGE ’ (block#) 1 

’PS_SDR_CHANGE’ (process#,  reg#): 

PS_SAR(process#,reg#)  = 0; 

PS__SDR(process#,  reg#)  = 0 ; 
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AST_DES_COUNT(aste#)  = 'AST_DES_COUNT' (aste#)  - 1; 

IF  (AST_DES_COUNT(aste#)  = 0)  & 

(AST_WIRED_DOWN(aste#)  = OFF); 

THEN:  UNLOCK  (as  te//)  ; 

END; 

IF  AST_WIRED_DOWN(aste#)  = OFF; 

THEN:  PS_MEM_QUOTA(processj'/)  = 'PS_MEM_QUOTA' (process#)  + 
size; 

END; 

END; 

3.2.11.2  N/A 


3.2.11.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.^. 

Called  By  Calls 

PCHECK  None 

DCONNECT 

3.2.11.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants  used  by  the  function  DISABLE.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 

Data  Base  References 

Global  References  Function  Paraineters  Local  References 

PS_SAR  REG//  BLOCK// 

PS_SDR  ASTE// 

PS_MEM_QUOTA 

P S_CURRENT_PRO  CESS 

AST_ADR 

AST_UNLOCK 

AST_SWAP_CHAIN 

AST_DES_COUNT 

AST_CPL 

AST_CHANGE 

MBT_ASTE 

THE  CURRENT  PROCESS 
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Constants 


ASR 

AST_CHANGE 

AS  TJJNLOCK_FLAG 

ASTE#_MAX 

ASTE//_MIN 

CROSS_REG# 

END_BLOCK# 

3. 2. 11, 5 Limitations 


REG__CONSTANT 

SDR_CHANGE_MASK 

SDR_CHANGED 

SPLHIGH 

SPLLOW 

WIRED  DOWN  MASK 


None. 


3.2.11.6  Listing 


DATA  DISABLE (REG#)  ; 

DECLARE 

WORD  (BLOCK#,  ASTF  #)  ; 


PROGRAM  DISABLE; 

/*  TRANSLATE  PEG#  TO  ASTE#  (AND  CHECK  FOR  DESCRIPTOR  IN  REGISTER) 
BLOCK#  :=  PS_SAR  (REG#)  ; 

IF  BLOCK#  -.=  0; 

THEN:  INLINE(ASR,  BLOCK#);  /♦  THEIR  BLOCKS  TO  MINE  */ 

INLINE  (ASR,  BLOCK#)  ; 

IP  BLOCK#  < £ND_BLOCK#; 

THEN:  ASTE#  :=  M BT_AST E ( BLOCK #)  ; 

ELSE: 

DO  ASTE#  :=  ASTE#_MrN  TO  ASTE#_MAX; 

....  '•XIT  WHEN  AST^ADR  (ASTF#)  = BLOCK#; 

END; 

END ; 

/♦  DESTROY  DESCRIPTOR 

INLINE  (S  PLHIGH)  ; 

PS_SDR  (REG  #)  : = 0 ; 

PS“SAR(RRG#)  ;=  0; 

/*  IF  FOR  CURRENT  PROCESS  ALSO  CLEAR  SEGMENTATION  REGISTER 

IF  PS_CURRFNT_PROCS3S  = THE_CURRENT_FROCFSS; 

THEN: 

IF  REG#  > CROSS_REG#; 

THEN:  REG#  :=  REG#  ♦ REG^CONSTANT ; 

END  ; 

/♦ 


CHECK  FOR  CHANGE  BIT  BEING  SET 


IF  (SDR(RKG#)  r,  SDR_CHANGE_MASK)  = SDR_CHANGED; 

THEN:  AST_CHANGE  (ASTE#)  ( AST_C M ANG E ( AS TE # ) \ AST_CHANGED)  ; 

END; 

/♦  CLEAR  SEGMENTATION  REGISTER  */ 

SDR(RFG#)  :=  0; 

SAP  (REG#)  :=  0; 

END; 

INLINE  (SPLLOW)  ; 

/*  DECREMENT  DESCRIPTOR  COUNT  */ 

AST_DES_COUNT (ASTE#)  :=  AST_DES_COUNT ( ASTE#)  - 1; 

/♦  THE  FOLLOWING  DOES  NOT  APPLY  TO  WIRED  DOWN  SEGMENTS  ♦/ 

IF  (AST_CPL  (ASTE#)  & WIRED_DOWN_M ASK)  = 0; 

THEN: 

/♦  IF  NO  DESCRIPTORS  LEFT  THEN  UNLOCK  AND  ADD  TO  SWAP  CHAIN  ♦/ 

IF  (AST  DES  COUNT(ASTE#)  ^ 0)  ; 

THFN'.'a  StIsWAP_CH  AIN  (ASTE#)  AST_S  W AP_CHAIN  (0)  ; 

AST  SWAP  CHAIN  (0)  ASTE#; 

A3TJJNLOCK  (ASTE#)  :=  ( AST_UN LOCK ( A iTE #)  | A ST_ UN LOC K_F LAG)  ; 

END; 

/♦  ADJUST  MEMORY  QUOTA 

PS_MEM_C)OOTA  :=  PS_MEM_QUOTA  *■  AST_S  IZ  E ( ASTE#)  ; 

END  ; 

END; 


3.2.12  Outer  P (QUTERP) 

The  Outer  P CPC,  OUTERP,  is  a user  level  external  SKCPP  func- 
tion that  is  called  by  user  level  external  programs  with  the  para- 
meter seg//.  OUTERP  calls  only  one  kernel  level  internal  function. 

It  is  written  in  Project  SUE  System  Language,  including  the  Inline 
feature. 

3.2.12.1  Description 

OUTERP  performs  security  and  implementation  checks  preliminary 
to  calling  P when  P is  invoked  externally. 

If  AST_WAL(ASTE//)  logical  and  PS_PROCESSJiASK  equals  zero,  the 
process  does  not  have  write  access  to  the  segment,  and  OUTERP  returns 
with  ERR_JFLAG. 

It  then  performs  INLINE (SPLHIGH)  to  set  the  priority  level  high. 
If  SMFR_COUNT(ASTE#)  equals  -128,  it  is  beyond  the  bounds  of  the 
implementation  and  ERR_FLAG  is  returned.  Otherwise,  P is  called  to 
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decrement  the  semaphore  associated  with  the  specified  segment  and 
block  the  process  if  the  result  is  negative.  RC  is  set  to  OK_FLAG. 

Function:  OUTERP 

Parameters : OUTERP  (as  te//) 

Effect: 

IF  AST__WAL(aste//,TCP)  ; 

THEN:  P(aste//); 

ELSE:  RC(TCP)  = NO; 

END; 

3.2.12.2  N/A 

3.2.12.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  P 

3.2.12.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  OUTERP.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 

Data  Base  References 

Global  References  Function  Parameters  Local  References 

PS___PROCESS_MASK  ASTE//  RC 

AST___WAL 

SMFR___COUNT 

Constants 


ERR_FLAG 

OK_FLAG 

SPL_JIIGH 

3.2.12.5  Limitations 

OUTERP  returns  ERR___FLAG  if 
access  to  the  segment  or  if  the 


the  process  does  not  have  write 
SMFR___COUNT  for  the  segment  equals 
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-128.  Otherwise,  RC=OK__FLAG.  The  SMFR_COTJNT  for  an  active  segment 
runs  from  +127  to  “’128. 

3*2.12.6  Listing 

DATA  OUTBRP  (ASTF#)  RFTURNS  (RC); 


PROGRAfI  OUTERP; 

/♦  SECURITY  CHECKS  FIRST 

/*  PROCESS  MUST  HAVE  WRITFSRFAD  ACCESS  TC  SEMAPHORE 

IF  (AST_WAL  (ASTE#)  E P S_ PROC E S S_H AS K)  = 0; 

THEN: 

RETURN  WITH  ERR_FLAG; 

END; 

/*  IMPLEMENTATION  CHECKS 

INLINE  (SPLHIGH)  ; 

IF  SMFR^COUNT  (ASTE#)  = - 12R; 

THEN:* 

RETURN  WITH  FRR^FLAG; 

END; 

/*  CHECKING  COMPLETE  - PERFORM  STATE  CHANGE 

P (ASTE#)  ; 

RC  :=  OK_FLAG; 


*/ 

*/ 


*/ 


*/ 


3.2.13  P (P) 

The  P CPC,  P,  is  a kernel  level  internal  SKCPP  function  that  is 
called  by  both  kernel  level  internal  functions  and  one  external  user 
level  function.  P calls  only  kernel  level  internal  functions.  It 
is  written  in  Project  SUE  System  Language,  including  the  Inline 
feature. 

3.2.13.1  Description 

P decrements  a specified  semaphore  counter,  and  if  the  result 
is  negative,  blocks  the  process. 

It  blocks  interrupts  by  setting  the  priority  level  high  using 
Inline  code,  and  then  decrements  SMFR__COUNT(SMFR//)  by  1.  If 
SMFR__C0UNT(SMFR//)  is  less  than  zero,  the  process  is  added  to  the 
queue  of  processes  blocked  on  this  semaphore:  PT__FLAGS  (THE__CURRENT__ 
PROCESS)  is  set  to  SMFR__POINTER(SMFR//)  logical  or  BLOCKED  and  SMFR__ 
POINTER (SMFR//)  is  set  to  THE_CURRENT_PROCESS . 
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If  the  current  process  has  been  blocked  it  also  starts  a new 
process  running,  as  follows.  If  SMFR#  is  less  than  KERNEL__SMFR , the 
operation  was  performed  on  a segment  semaphore.  A V is  performed  on 
KERNEL__SMER  to  prevent  the  possibility  of  a deadlock,  SLEEP  is  called 
to  find  the  next  process  ready  to  run,  and  a P is  performed  on 
KERNEL__SMFR  to  restore  its  previous  condition.  If  SMFR#  is  greater 
than  or  equal  to  KERNEL_SMFR,  P simply  calls  SLEEP.  It  then  resets 
the  priority  level  low  using  Inline  code  and  returns  control  to  the 
calling  program. 

Function:  P 

Parameters : P (smf r#) 

Effect : 

SMFR_COUNT(smfr#)  = ’ SMFR__COUNT’ (smf  r#)  - 1;) 

IF  SMFR_COUNT(smfr#)  < 0; 

THEN:  PT_FLAGS(TCP)  = BLOCKED; 

PT_LINK(TCP)  = 'SMFR_P01NTER’ (smfr#)  ; 

SMFR_P01NTER(smfr#)  = TCP; 

END; 

RC(TCP)  = YES; 

3.2.13.2  N/A 

3.2.13.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Calls 


Called  By 


P 

V 

SLEEP 


PCHECK 

OUTERP 

SWAP IN 

SWAPOUT 

IPCRCV 

P 


3.2.13.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  P.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  1,  List  of  Constants,  in  subpara- 
graph 3.3.2. 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 


PT_FLAGS  SMFR#  None 

SMFR_COUNT 

SMFR_PO  INTER 

THE  CURRENT  PROCESS 


Constants 


BLOCKED 

KERNEL_SMFR 

SEG#_FLAG 

SPLHIGH 

SPLLOW 

3.2.13.5  Limitations 

If  the  SMFR^COUNT  for  the  specified  SMFR#  is  less  than  0 the 
process  is  blocked  and  added  to  the  queue  of  processes  blocked  on 
that  semaphore.  The  process  becomes  unblocked  when  enough  V's  are 
performed  (see  3.2.15.1). 

3.2.13.6  Listing 

DATA  P (S?1FP  # ) ; 


PROGRAM  P; 

/♦  BLOCK  INTFPRnPTS  */ 

INLINE  (SPLHIGH)  ; 

SMFR_COnNT  (SMFR#)  :=  S MF  RECOUNT  (S  M FK  t)  - 1; 

/*  IF  SEMAPHOKF  COUNT  IS  NEGATIVE,  THEN  PROCESS  BECOMES  BLOCKED  ♦/ 

IF  SMFR_COUNT  (SMFP#)  < 0; 

THEN: 

/♦  ADD  CtJPRFN'^  PROCESS  TO  QOFUE  OF  PROCESSES  BLOCKED  ON  SEMAPHORE  ♦/ 

PT_FLAG5  {THF_CnPPENT_PFOCESS)  :=  (SM  FR_P  OINT  S R (S  MF  R<f)  \ BLOCKED); 

SMFR^FOINTER  (SMFR#)  :=  T HE_CU  R R FNT_PPO  CE  S S ; 

/*  S>APT  A NEW  PROCESS  RUNNING  */ 

IF  SMFR#  < KERNEL^SMFR; 

THEN:  V (KEPNEL_S * 

SLEEP; 

P{KERNEL_SMFR) ; 

ELSE:  SLFFP; 


END; 


INLINE  (SPLLOW) ; 
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3.2.14  Outer  V (OUTERV) 


The  Outer  V CPC,  OUTERV,  is  a user  level  external  SKCPP  func- 
tion that  is  called  by  user  level  external  programs  with  the  para- 
meter seg#.  OUTERV  calls  one  kernel  level  internal  function.  It  is 
written  in  Project  SUE  System  Language,  including  the  Inline  feature 

3.2.14.1  Description 

OUTERV  performs  security  and  implementation  checks  whenever  V 
is  called  externally.  If  AST_WAL(ASTE#)  logical  and  PS_PROCESS_MASK 
equals  0,  the  process  lacks  write  access  to  the  semaphore,  so  OUTERV 
returns  with  ERR_FLAG.  To  prevent  interrupts,  it  sets  the  priority 
level  high  using  Inline  code.  Next,  if  SMFR_COUNT(ASTE//)  equals  127 
it  is  beyond  the  bounds  of  the  implementation,  and  OUTERV  returns 
with  ERR__FLAG.  Otherwise  it  performs  the  state  change,  called  V to 
increment  the  semaphore,  and,  if  the  result  is  non-positive,  makes 
ready  a process  blocked  on  the  semaphore.  OUTERV  returns  with  RC 
set  to  OK_FLAG. 

Function:  OUTERV 

Parameters : OUTERV (aste#) 

Effect: 

IF  AST_WAL ( as  te# , TCP ) ; 

THEN:  V(aste//); 

ELSE:  RC(TCP)  = NO; 

END; 

3.2.14.2  N/A 

3.2.14.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
Called  By  Calls 

PCHECK  V 

3.2.14.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  OUTERV.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 


AST_WAL  ASTE#  RC 

PS_PROCESS_MASK 

SMFR_COUNT 

Constants 


ERR_FLAG 

OK_FLAG 

SPL_HIGH 

3.2.14.5  Limitations 

OUTERV  returns  ERR__FLAG  if  the  process  does  not  have  write 
access  to  the  semaphore  or  if  the  SMFR_COUNT  for  the  segment  equals 
127. 


3.2.14.6  Listing 


DATA  OTJTSPV  (ASTE#)  PFTMRNS  (RC); 


PRCGRAW  CUTERV; 

/*  SECORITY  CHECKS  FIRST 

/*  PROCESS  «O.ST  HAVE  WRITFiREAD  ACCESS  TO  SEMAPHORE 

IF  {AST,MAL(ASTF#)  S P3_PROCESS  MASK)  = 0' 

THEN: 

RETDRN  WITH  rRR_FLAG; 

END  ; 

/»  IMPLEMENTATION  CHECKS 

INLINE  (S  PLHIGH)  ; 

IF  SMFR_COONT  (AST  F*)  = 127; 

THEN: 

....  RETURN  WITH  ERR  FLAG; 

END; 

/♦  CHECKING  COMPLETE  - PFRFORM  STATE  CHANGE 

V (ASTF#)  ; 

RC  :=  OK^FLAG; 
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3,2.15  V (V) 


The  V CPC,  V , is  a kernel  level  internal  SKCPP  function  that  is 
called  by  both  kernel  level  internal  functions  and  one  user  level 
external  function.  It  is  written  in  Project  SUE  System  Language, 
including  the  Inline  feature, 

3.2,15,1  Description 

V is  the  inverse  of  P;  it  increments  the  specified  semaphore 
counter  and,  if  the  result  is  non-positive,  makes  a blocked  process 
ready.  First,  it  prevents  interrupts  by  setting  the  priority  level 
high  using  Inline  code.  Then,  it  resets  the  SMFR_COUNT(SMFR//)  to 
SMFR_COUNT(SMFR#)  + 1. 

If  the  SMFR__COUNT (SMFR#)  is  positive,  the  priority  level  is 
set  low  using  Inline  code  and  V is  exited;  if  SMFR_COUNT(SMFR#) 
is  less  than  or  equal  to  zero,  a blocked  process  must  be  unqueued. 
PROCESS_A  is  assigned  the  value  of  SMFR_POINTER(SMFR#) . If 
SMFR__COUNT(SMFR//)  does  not  equal  0,  V finds  the  process  blocked 
longest  by  setting  PROCESS_B  equal  to  PROCESS_A  and  PROCESS_A  equal 
to  PT_LINK(PROCESS_B)  until  PT_LINK (PRO CESSNA)  equals  zero.  It  then 
removes  PROCESS__A  from  the  end  of  the  queue  by  setting  PT_J1,INK(PR0- 
CESS_B)  equal  to  0.  Otherwise,  if  SMFR_COUNT(SMFR#)  equals  0,  only 
PROCESS__A  is  blocked  on  the  semaphore;  V removes  it  by  setting 
SMFR_POINTER(SMFR//)  to  0. 

V then  readies  PROCESS_A  by  assigning  PT_FLAGS (PRO CESSNA)  the 
value  READY.  It  then  sets  the  priority  level  low  using  Inline  code 
and  returns. 

Function:  V 

Parameters:  V(smfr//) 

Effect:  SMFR_COUNT(smfr/0  = ’ SMFR__COUNT  ’ (smf  r//)  + 1; 

IF  SMFR_COUNT(smfr#)  <=  0; 

THEN: 

IF  SMFR_COUNT(smfr#)  = 0; 

THEN:  Let  process#  = ’SMFR_POINTER’ (smfr#) ; 

SMFR_POINTER(smfr#)  = 0; 

ELSE:  Let  process#  = VEND; 

VUNCHAIN(’SMFR_POINTER’  (smfr#))  ; 

END: 

PT_FLAGS (process#)  = READY; 

END; 

RC(TCP)  = YES; 


78 


Function:  VEND 
Parameters:  VEND  (process//) 

Value: 

IF  'PT_LINK' (process//)  = 0; 

THEN:  process//; 

ELSE:  VEND('PT_LINK' (process//))  ; 

END; 

Function:  VUNCHAIN 
Parameters:  VUNCHAIN (process//) 

Effect: 

IF  'PT_LINK' ('PT_LINK' (process//))  = 0; 
THEN:  PT_LINK  (process//)  = 0; 

ELSE:  VUNCHAIN ( 'PT_LINK'  (process//)  ) ; 
END; 


3.2.15.2  N/A 

3.2.15.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  In  paragraph  3.4. 

Called  By  Calls 

PCHECK  None 

OUTERV 

IPCRCV 

STOPP 

P 

3.2.15.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  V.  For  data  base  references  refer  to 
Figure  5,  Data  Base  Reference  Matrix,  In  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  In  subparagraph  3.3.2. 

Data  Base  References 


Global  References  Function  Parameters  Local  References 


PT_LINK  SMFR//  PR0CESS_A 

PT_FLAG  PR0CESS_B 

SMFR_COUNT 
SMFR  POINTER 
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Constants 


READY 

SPLHIGH 

SPLLOW 

3.2.15.5  Limitations 
None. 

3.2.15.6  Listing 

DATA  V(S?1PRi)  ; 

DECLARE 

Word  (process_a,  processes); 


PROGRAM  V; 

/♦  BLOCK  INTERRUPTS  ♦/ 

INLINE  (SPLHIGH)  ; 

SM^R_COUNT  (SMFR#)  z-  S MFR^COUNT  (SM  FR #)  + 1; 

/♦  IF  SEMAPHORE  COUNT  IS  NON-POSITIVE,  THEN  A PROCESS  BLOCKED  ON  THE  SEMAPHORE  ♦ 


♦ MUST  BE  UNQUEUED  V 

IF  SMFR_COUNT  (SMFR#)  <=  0; 

THENi 

/♦  THF  MOST  RFCENT  PROCESS  ADDED  TO  THIS  SEMAPHORE'S  QUEUE  ♦/ 

PROCSSS.A  :=  SMFR_POINTFR(SHFR#)  ; 

/♦  IF  THERE  IS  MORE  THAN  ONE  PROCESS  ON  QUEUE,  FOLLOW  CHAIN  THROUGH  ♦ 

♦ PROCESS  TABLE  ♦/ 


IF  SMFR_COUNT(SMFH#)  0; 

THFN:“ 

CYC  LF 

EXIT  When  pt_link  (procfss^a)  = O; 

PROCFSS_B  ;=”?ROCESS_A ; 

PPOCESS^A  :=  PT_LI  Nk7pROCSSS_B)  ; 

FND;  ” 

/♦  REMOVE  PRaCESS_A  FROM  END  OF  QUEUE  */ 

PT_LINK  (I^ROCESS^E)  :=  0; 

ELSE:  SMFR_POINTEr'(SMFP#)  :=  0; 

FND; 

/♦  PROCESS^A  BECOMES  READY  ♦/ 

PT_FLAGS  (PPOCESS_A)  :=  FEADY; 

END; 

INLINE  (SPLLOW)  ; 
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3.2.16  Send  Interprocess  Communication  (IPCSEND) 


The  Send  Interprocess  Communication  CPC,  IPCSEND,  is  a user 
level  external  SKCPP  function  that  is  called  by  user  level  external 
programs  and  one  user  level  external  function  with  the  parameters 
process//  and  message.  It  is  written  in  Project  SUE  System  Language. 

3.2.16.1  Descr iption 

IPCSEND  sends  a message  to  a specified  process  if  security  and 
implementation  constraints  are  met.  If  PT__FLAGS (PROCESS//)  logical 
and  PT__FLAGS_MASK  equals  INACTIVE,  IPCSEND  returns.  It  has  no  re- 
turn code  since  that  might  be  used  to  compromise  security. 

If  PS_CURRENT_PROCESS  does  not  equal  EXEC_PROCESS// , it  is  not 
trusted  and  the  following  security  checks  must  be  made  to  preserve 
the  ^-property.  If  PT_CURRENT_CLASS  (PROCESS//)  is  less  than 
PS__CUR_CLASS  or  if  PT_CUR_C AT  (PROCESS//)  does  not  equal  PT_CUR_CAT 
(PROCESS//)  logical  or  PS ^CUR__CAT,  IPCSEND  returns  with  no  effect. 

If  PT__IPC__QUOTA(PROCESS//)  is  zero,  IPCSEND  ignores  the  call  be- 
cause the  receiving  process  has  no  more  free  IPC  elements. 

Checking  complete,  it  then  allocates  an  element  from  the  queue 
of  free  elements  by  assigining  INDEX  the  value  of  IPC_LINK(0) , and 
resetting  IPC_LINK(0)  to  IP C_LINK( INDEX)  and  IP C_LINK( INDEX)  to  0. 

It  fills  in  the  element  by  letting  IPC_PROCESS// (INDEX)  equal 
PS_CURRENT__PROCESS  logical  or  DOMAIN  and  letting  IP C_DATA( INDEX) 
equal  MESSAGE. 

If  PT_IPC_QUEUE_HEAD (PROCESS//)  logical  and  BYTE_MASK  equals 
IPC__WAIT,  the  specified  process  is  blocked  because  it  is  awaiting  a 
message  and  none  was  available.  In  this  case,  PT_IPC_QUEUE_HEAI) 
(PROCESS//)  is  set  to  INDEX  and  the  process  is  unblocked  by  setting 
PT_FLAGS  (PROCESS//)  to  READY.  Otherwise,  the  new  IPC  element  must  be 
appended  to  the  process ^ s queue  of  messages.  If  PT_IPC_QUEUE_HEAI) 
(PROCESS//)  equals  zero,  the  processes  IPC  queue  is  empty,  and 
PT_IPC_QUEUE_J1EAD (PROCESS//)  is  set  to  INDEX.  If  not,  to  find  the 
end  of  the  queue,  INDEX2  is  set  equal  to  PT_IPC_QUEUE_HEAD(PROCESS//)  . 
Until  IPC_LINK(INDEX2)  equals  zero,  INDEX2  is  reset  to  IPC_LINK 
(INDEX2).  Since  INDEX2  now  holds  the  IPC  element  number  of  the  last 
element  in  the  queue,  letting  IPC_LINK(INDEX2)  equal  INDEX  attaches 
the  new  element  to  the  end  of  the  queue. 

Finally,  the  IPC  element  quota  of  the  receiving  process  is 
adjusted  by  decrementing  PT__IPC_QUOTA (PROCESS//)  and  IPCSEND  is 
exited. 
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Function:  IPCSEND 

Parameters : IPCSEND(process#, message , domain) 

Effect : 

IF  (PT_FLAGS (process#)  INACTIVE)  & 

(((PS_CUR_CLASS  (process#)  f = PS_CUR_CLASS  (TCP)  ) & 

(PS_CUR_CAT (process#)  ^ PS_CUR_CAT(TCP) ) ) I 
(PT_TYPE(TCP)  = TRUSTED))  & 

('PT_IPC_QUOTA' (process#)  i 0); 

THEN:  Let  ipce#  = ' IPC_LINK' (0) ; 

IPC_LINK(0)  = 'IPC_LINK' (ipce#) ; 

IPC_LINK(ipce#)  = 0; 

IPC_PROCESS(ipce#)  = TCP; 

IPC_DOMAIN(ipce#)  = domain; 

IPC_DATA(ipce#)  = message; 

IF  'PT_IPC_QUEUE_HEAD' (process#)  = 0; 

THEN:  PT_IPC_QUEUE_HEAD (process#)  = ipce#; 

ELSE:  Let  eipce#  = FINDIPCEND( 'PT_IPC_QUEUE_HEAD ' (process#) ) ; 

IPC_LINK(eipce#)  = ipce#; 

END; 

PT_IPC_QUOTA(process#)  = 'PT_IPC_QUOTA' (process#)  - 1; 

IF  'PT_IPC_WAIT' (process#)  = NO; 

THEN;  PT_IPC_WAIT(process#)  = OFF; 

PT_FLAGS (process#)  = READY; 

END; 

END; 

Function:  FINDIPCEND 

Parameters:  FINDIPCEND(ipce#) 

Value: 

IF  IPC_LINK(ipce#)  = 0; 

THEN:  ipce#; 

ELSE:  FINDIPCEND(IPC_LINK(ipce#)) ; 

END; 

3.2.16.2  N/A 

3.2.16.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  None 

STOPP 
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3,2. 16. 4  Data  Organization 


Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  IPCSEND.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2 

Data  Base  References 


Global  References  Function  Paraineters  Local  References 


PT_FLAGS  PROCESS//  INDEX 

PT_CUR_CLASS  MESSAGE  INDEX2 

P T_CUR_CAT  DOMAIN 

PT_IPC_QUOTA 

PT_IP  C_QUEUE_JIEAD 

P S_CURRENT_PRO  CESS 

IPC_LINK 

IPC_PROCESS// 

IPC_DATA 

Constants 

EXEC_PROCESS// 

INACTIVE 

IPC_WAIT 

PT_FLAGS_MASK 

READY 

3.2.16.5  Limitations 


If  the  PT_IPC_QUOTA  for  the  process  is  zero,  IPCSEND  ignores 
the  call.  IPCSEND  returns  with  no  return  code  if  PS_CURRENT_PROCESS 
is  not  equal  to  EXEC_PROCESS//,  if  PT_CURRENT_CLASS  (PROCESS//)  is  less 
than  PS_CUR_CLASS,  if  PT_CUR_CAT (PROCESS//)  does  not  equal  PT_CUR_CAT 
(PROCESS//)  logical  or  PS_CUR_CAT,  or  if  PT_FLAGS  and  PT_FLAGS_MASK 
equals  INACTIVE. 

3.2.16.6  Listing 


DATA  IPCSEND  (T^POCFSS MESSAGE,  DO*^ATN); 
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PROGBAfl  IPCSEND; 

DECLARE 

WORD  (INDEX,  INDEX2)  ; 

IF  (P?_FLAGS  (PROCESS#)  S PT  FLAGS  MASK)  = INACTIVE; 

THEN: 

....  RETURN; 

END; 

/*  SECURITY  CHECK 

IF  PS_ClIRRENT_PFOCESS  -=  EXEC_PROCESS  # ; 

THEN: 

IF  PT_CUR_CLASS (PROCESS!)  < PS_cnR_CLA SS ; 

THEN: 

RETURN; 

END; 

IF  PT_CUR_CAT  (PROCESS!)  -=  (PT_cnR_CAT  (PROCESS  i)  ) FS_CURCAT) 
THEN: 

RETURN; 

END; 

END; 

/♦  IMPLEMENTATION  CHECK 

IF  PT_IPC_QUOTA(PROCESS#)  = 0; 

THEN: 

....  RETURN; 

END; 

/♦  ALLOCATE  AN  IPC  QUEUE  ELEMENT 

INDEX  IPC_LINK(0); 

IPC_LINK(0)  ;=  IPC_LINK  (INDEX)  ; 

IPcIlinK  (INDEX)  :=“0; 

/♦  FILL  IN  IPC  ELEMENT 

IPC_PROCESS«  (INDEX)  :=  (PS_CURRENT_PROCESS  1 DOMAIN); 

IPC_DATA  (INDEX)  : = MESSAGE; 

/♦  IS  PROCESS  WAITING? 

IF  (PT_IPC_QUEUE_HEAD  (PROCESS#)  & BYTE_MASK)  = IPC_HAIT: 

THEN:  PT_IPC_QUEUE_HEAD (PROCESS#)  :=  INDEX; 

PT_FLAGS  (PROCESS#)  :=  READY; 

ELSE: 

IF  PT_IPC_OUEUE_HEAD  (PROCESS#)  = 0; 

THEN:  PT_IPC_QDFUE_HEAC  (PROCESS#)  :=  INDEX; 

ELSE:  INDEX2“:=  PtIipC_QOEOE_HEAD (PROCESS#) ; 

CYCLE 

EXIT  WHEN  IPC_LINK (INDEX2)  = 0; 

IND2X2  :=  IPC_LINK  (INBEX2)  ; 

EN^; 

TPC_LINK (INDEX2)  :=  INDEX; 

END; 

END; 

/*  ADJUST  QUOTA 

PT_IPC_QrjOTA  (PROCESS#)  :=  PT_IPC_QUOTA(i‘ROCFSS#)  - 1; 


3.2.17  Receive  Interprocess  Communication  (IPCRCV) 


The  Receive  Interprocess  Communication  CPC,  IPCRCV,  is  a user 
level  external  SKCPP  function  that  is  called  by  user  level  external 
programs.  IPCRCV  calls  only  kernel  level  internal  functions.  It  is 
written  in  Project  SUE  System  Language. 

3.2.17.1  Description 

IPCRCV  receives  an  interprocess  communication  message.  If 
PT_IPC_QUEUE_HEAD(PR_CURRENT_PROCESS)  equals  0,  there  are  no  messages 
on  queue.  In  this  case,  IPCRCV  sets  PT_IPC_QUEUE_HEAD(PS_CURRENT_ 
PROCESS)  to  IPC_WAIT  and  PT_FLAGS  (PS_CURRENT_PROCESS)  to  BLOCKED. 

This  prevents  future  allocation  of  the  processor  to  the  current  pro- 
cess.  Then,  to  prevent  a deadlock,  it  calls  V to  increment  the 
kernel  semaphore  and  then  calls  SLEEP  to  find  and  execute  the  next 
process  that  is  ready.  When  a message  is  available  and  the  process 
is  unblocked  and  running,  it  performs  a P on  the  kernel  semaphore  to 
restore  its  original  value. 

Now,  to  remove  the  IPC  element  from  the  head  of  queue,  INDEX  is 
set  to  PT_IPC_QUEUE_HEAD(PS_CURRENT_PROCESS)  and  PT_IPC_QUEUE_HEAD 
(PS_CURRENT_PROCESS)  is  set  to  IPC_LINK (INDEX)  . 

IPCRCV  can  now  use  the  information  from  the  IPC  message  element. 
It  assigns  RC  the  sending  process//  and  domain  held  in  IPC_PROCESS// 
(INDEX)  and  KRC2  gets  the  message  held  in  IPC_DATA(INDEX) . 

The  IPC  element  is  then  put  back  on  the  free  chain  and  the 
process’  quota  is  credited.  IPC_LINK( INDEX)  is  set  equal  to 
IPC_LINK(0)  and  IPC_LINK(0)  is  set  to  INDEX.  IPCRCV  then  increments 
PT_IPC_QUOTA(PS_CURRENT_PROCESS)  to  conclude  the  operation. 

Function:  IPCRCV 

Parameters : IPCRCV 

Effect: 

IF  ’PT_IPC_QUEUE_HEAD’ (TCP)  = 0; 

THEN:  PT_IPC_WAIT(TCP)  = ON; 

PT_FLAGS(TCP)  = BLOCKED; 

IPCRCV2 ; 

ELSE:  IPCUNQUEUE; 

END; 
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Function:  IPCUNQUEUE 

Parameters:  IPCUNQUEUE 

Effect: 

Let  ipce//  = ’PT_IPC_QUEUE_HEAD  ’ (TCP)  ; 

PT_IPC_QUEUE_HEAD(TCP)  = ' IPC_LINK’ (ipce//)  ; 

RC(TCP)  = lPC_PROCESS(ipce//)  , IPC_DOMAIN(ipce//)  , IPCJDATA(ipce//)  ; 
IPC_LINK(ipce//)  = ’ IPC_LINK' (0)  ; 

IPC_LINK(0)  = ipce//; 

PT_IPC_QUOTA(TCP)  = 'PT_IPC_QUOTA' (TCP)  + 1; 

Function:  IPCRCV2 

Parameters : IPCRCV2 

Effect : 

IF  'PT_IPC_QUEUE_HEAD’ (TCP)  ^ 0; 

THEN:  IPCUNQUEUE; 

END; 

3.2.17.2  N/A 


3.2.17.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  P 

V 

SLEEP 


3.2.17.4  Data  Organization 


Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  IPCRCV.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

PT_IPC_QUEUE_HEAD  None  INDEX 

PT_FLAGS  RC 

PT_IPC_QUOTA 

PS_CURRENT_PROCESS 

IPC_LINK 

IPC_PROCESS// 

IPC  DATA 
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Constants 


BLOCKED 

IPCJWAIT 

KERNEL_SMFR 

3.2.17.5  Limitations 

None 


3.2.17.6  Listing 


DATA  IPCPCV  RtTHRNS  (PC); 
PFCLAPE 

WOPD  (INDEX); 


PRCGKAM  TPCRCV; 

/♦  NO  SECURITY  CHECKING  ♦/ 

/♦  ANYTHING  THERE  ♦/ 

IF  PT_IPC_C)UEnS_HEAD(PS_CURRFNT_PROCESS)  = 0; 

THEN:  PT_TPC_QnEnE_HEAD(PS_CURRENT_PROCESS)  :=  IPC_HAIT; 

PT_FLAGS  (PS_CURRT='Nr_PROC£SS)  :=”bLOCKED; 

V(KEPNFL_SE1FR)  ; 

SLEEP; 

P (KFPNEL^SMFR) ; 

END; 

/*  REMOVE  FIRST  MESSAGE  ELEMENT  */ 

INDEX  :=  PT_IPC_QHEHE_HEAC<PS_CDRRENT_PROCESS) ; 

PT_IPC_C)HFUE_HEAD  (PS_CURRFNT_PROCESS)  IPC_L  INK  ( I NDEX)  ; 

/*  TAKE  STUFF  OUT  OF  IPC  MESSAGE  ELEMENT  ♦/ 

RC  IPC^PPOCESSi (INDEX) ; 

KRC2  :=  TPC_DAT  A (INDEX)  ; 

/*  POT  BACK  ON  FREE  CHAIN  AND  INCREMENT  QUOTA  ♦/ 

IFC^LINK  (INDEX)  ;=  TPC_LINK(0); 

IPC_LTNK(0)  INDEX; 

PT_IPC_QUOTA  (PS_CnRRENT_PROCESS)  PT_IPC_QUOT  A ( PS_CURRENT_  PROCESS)  ♦ 1; 
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3.2.18  Stop  Process  (STOPP) 


The  Stop  Process  CPC,  STOPP,  is  a user  level  external  SKCPP 
function  that  is  called  by  user  level  external  programs.  STOPP 
calls  both  user  level  external  functions  and  kernel  level  internal 
functions.  It  is  written  in  Project  SUE  System  Language. 

3.2.18.1  Description 

STOPP  terminates  a user’s  ownership  of  a process.  It  loops  with 
I going  from  SEGy/_MIN  to  SEG#_MAX,  setting  ASTE#  equal  to  PS_SEG(I) . 
Then,  if  ASTE//  logical  and  SEG_FLAG  equals  0,  ASTE#  indeed  contains 
an  AST  entry  number,  so  segment  I is  in  the  process’s  WS.  If  so, 

STOPP  calls  DCONNECT  to  release  any  segments  to  which  the  process 
has  access . 

It  then  sets  I equal  to  PT_IPC_QUEUE_HEAD(PS_CURRENT_PROCESS)  . 

If  I does  not  equal  0,  the  IPC  queue  must  be  cleared.  To  find  the 
last  element  in  the  IPC  queue,  until  IPC_LINK(I)  equals  0 , I is  re- 
set to  IPC_LINK(I).  The  entire  IPC  queue  is  inserted  at  the  head  of 
the  free  element  chain  by  letting  IPC_LINK(I)  equal  IPC_LINK(0), 
IPC_LINK(0)  equal  PT_IPC_QUEUE__HEAD (PS_CURRENT_PROCESS)  , and 
PT_IPC_QUEUE_HEAD(PS_CURRENT_PROCESS)  and  PT_IPC_QUEUE_HEAD 
(PS_CURRENTJPROCESS)  equal  0. 

Next,  STOPP  prepares  to  remove  the  process’s  kernel  stack.  It 
sets  ASTE#  to  PT__KS_ASTEy/ (PS_CURRENT_PROCESS)  which  holds  the  aste# 
of  the  process  ’ s kernel  stack.  It  adds  this  to  the  chain  of  segments 
eligible  to  be  swapped  out  by  letting  AST__SWAP_CHAIN(ASTE#)  equal 
AST_SWAP_CHAIN(0)  , and  letting  AST__SWAP_CHAIN(0)  equal  ASTE#.  It 
also  resets  AS T_UN LOCK (ASTE#)  to  AST_UNLOCK(ASTE#)  logical  or 
AST_UNLOCK_FLAG. 

In  order  to  inform  the  executive  process  of  the  current  process’s 
termination,  STOPP  calls  IPCSEND.  It  then  sets  PT_FLAGS (PS_CURRENT_ 
PROCESS)  to  INACTIVE,  performs  a V on  the  kernel  semaphore  to  pre- 
vent deadlocking,  and  calls  SLEEP  to  allocate  the  processor  to  a 
ready  process. 

Function:  STOPP 

Parameters:  STOPP (process#) 

Effect : 

(Vseg#) 

IF  (SEG#_MIN<seg#<SEG_MAX)  & 

PS_SEG_INUSE (process#, seg#) ; 

THEN:  DGONNEGT(process#,PS_SEG(process#,seg#) ,seg#); 

END; 
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IF  ’PT_IPC_QUEUE_HEAD’ (process#)  + 0 

THEN:  Let  ipce#  = FIND  IP  SCEND  ( ’PT_IPC__QUEUE_HEAD  (process#) ) ; 
IPC_LINK(ipce#)  = ’IPC_LINK'  (0); 

IPC_LINK(0)  = ’PT_IPC__QUEUE_HEAD’  (process#)  ; 

PT_IPC_QUEUE_HEAD  (process#)  = 0; 

END: 

PT__FLAG  (process#)  = INACTIVE; 
IPCSEND(EXECUTIVE_PROCESS#,0,KERNELJ)OMAIN) ; 

SLEEP ; 

3.2.18.2  N/A 

3.2.18.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

PCHECK  DCONNECT 

IPCSEND 

V 

SLEEP 

3.2.18.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  STOPP.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2. 

Data  Base  References 

Global  References  Function  Parameters  Local  References 

PT^FLAGS  None  ASTE# 

PT_KS_ASTE#  I 

PT_IP  C_QUEUE_HE  AD 

PS_CURRENT_PRO  CESS 

AST_SWAP_CHAIN 

AST_UNLOCK 

IPC_LINK 

Constants 

AST_UNLOCK_FLAG 

EXEC_PROCESS# 

INACTIVE 
KERNEL  DOMAIN 
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KEENEL__SMFR 

SDR__READ__ACCESS 

SEG__FLAG 

SEG#J1AX 

SEG#_MIN 

3-2.18.5  Limitations 
None 

3.2.18.6  Listing 

DATA  STOPP; 


PPOGRAr.  STOPP; 

DECLARE 

WORD  (I,  ASTE#,  DUMMY); 

/♦  CLEAR  OUT 

DO  I ;=  SFG#_MIN  TO  S'-Q#  MAX; 

ASTS#  : = PS_SEG  (T)  ;” 

IF  (ASTFf  G SEG_FLAG)  = 0; 

THEN:  DCONNECT(I,  ASTE#); 

END; 

END; 

/♦  CLEAR  OUT  IPC  QUFUE 

I :=  PT_.IPC_QUEUE_HFAD(PS_CUPRENT_PROCESS)  ; 

I F I -.=  0 ; 

THEN: 

CYCLE 

....  EXIT  WHEN  IPC_LINK(I)  = 0; 

I : = IPC  link7i) ; 

END; 

IPC_.LINK(I)  :=  IPC_LINK(0); 

IPC^LINK  (0)  :=  PT_IPC_OUEUE_HEAr(PS_CURRRNT_PRnCESS)  ; 

PT^IPC  QUEUE_HEAd7ps_CUPRENT  PROCESS)  :=  0;* 

EN  D ; “ " 

/♦  GET  RID  OF  K STACK 

ASTE#  :=  PT_KS_ASTE# (PS_CnRPENT_PROCESS)  ; 

AST_SWAP_CHAIN  (ASTE  #)  :=  AST_SHAP  CHAIN  (0); 

AST_SHAP_CHAIN (0)  ;=  ASTE#; 

AST_UNLOCK  (ASTF#)  :=  ( A S P_UN LOCK ( ASTE#)  | AST_UNLOCK_FL AG) 

/♦  LET  EXEC  KNOW  WHAT*S  HAPPENING 

IPCSEND(FXEC_PROCFSS#,  0,  K ERNFL_DOM A IN ) ; 

PT_FLAGS  (PS_.CnRRFNT_PROCESS)  ;=  INACTIV-E; 

V (KFRNEL^SHPR)  ; 


3*2.19  Read  Directory  (READIR) 


The  Read  Directory  CPC,  READIR,  is  a user  level  external  SKCPP 
function  that  is  called  by  user  level  external  programs  with  the 
parameters  aste//  and  offset.  READIR  calls  only  kernel  level  internal 
functions.  It  is  written  in  the  Project  SUE  System  Language. 

3.2.19.1  Description 


READIR  gives  interpretive  read  access  to  an  entry  in  a direc- 
tory in  the  process’s  address  space. 

If  AST__TYPE(ASTE//)  logical  and  AST__TYPE__MASK  does  not  equal 
AST_TYPE_DIRECTORY  the  specified  segment  is  not  a directory,  so 
READIR  returns  with  ERR__FLAG. 

Next,  READIR  must  gain  access  to  the  directory.  If  AST_ADR 
(ASTE//)  is  zero,  the  directory  is  not  present  in  main  memory.  SWAPIN 
is  called  to  correct  this  situation.  LSD  is  then  invoked  to  load  the 
segment  descriptors.  If  D IR__S I ZE (OFFSET)  equals  zero,  READIR  returns 
with  ERR^FLAG;  otherwise  checking  is  complete  and  the  data  in  the 
directory  that  is  at  the  security  level  of  the  directory  can  be 
returned.  CLASS,  CAT,  SEG_TYPE,  and  SIZE  are  assigned  the  value  of 
DIR__CLASS  (OFFSET)  logical  and  DIR_CLASS_MASK,  DIR_CAT  (OFFSET)  , 
DIR__TYPE (OFFSET)  logical  and  DIR__TYPE__MASK,  and  DIR_SIZE  (OFFSET)  , 
respectively.  READIR  then  regains  access  to  the  user’s  SR0  stack  by 
assigning  to  KSDR3  and  KSAR3  the  values  of  SDR0  and  SAR0.  It  then 
inserts  the  data,  letting  CLASS^APARM,  CAT__APARM,  SEG_TYPE_APARM, 
and  SIZE__APARM  equal  CLASS,  CAT,  SET__TYPE,  and  SIZE.  READIR  then 
returns  with  RC  set  to  OK_FLAG. 

Function:  READIR 

Parameters : READIR(process//,  aste//  ,of  fset) 

Effect : 

IF  (AST__TYPE(aste//)  = DIRECTORY  & 

(DIR__SIZE  (aste// , of  fset)  ^ 0 

THEN:  RC(process//)  = DIR__TYPE  (aste// , of  fset)  , 

DIR_CLASS  (aste/^,  offset)  , 

DIR_CAT (aste//,  offset)  , 

DIR__SIZE  (aste^  offset)  ; 

ELSE:  RC(process//)  = NO; 

END; 

3.2.19.2  N/A 
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3.2.19.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

P CHECK  SWAP IN 

LSD 


3.2.19.4  Data  Organization 


Listed  below  are  Security  Kernel  data  base  references  and  con- 
stants used  by  the  function  READIR.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1.  For 
constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph  3.3.2 

Data  Base  References 

Global  References  Function  Parameters  Local  References 


AST_TYPE  ASTE#  CLASS 

AST_ADR  OFFSET  CAT 

DIR_CLASS  SEG_TYPE 

DIR_CAT  SIZE 

DIR  TYPE  RC 


DIR_SIZE 

CLASS_ALARM 

CAT_APARM 

SEG_TYPE_APARM 

SIZE_APARM 

SDR  & SAR 


Constants 


AST_TYPE_DIRECTORY 

AST_TYPE_MASK 

DIR_CLASS_MASK 

DIR_KSR_ADR 

DIR_TYPE 

DIR_TYPE_MASK 

ERR_FLAG 

OK_FLAG 

SDR  READ  ACCESS 
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3.2.19.5  Limitations 


READIR  returns  ERR__FLAG  if  the  specified  segment  is  not  a 
directory  or  if  the  specified  offset  is  not  in  main  memory.  Other- 
wise, RC  = OK^FLAG. 

3.2.19.6  Listing 


DATA  PEADIR (ASTF#,  OFFSET)  RETURNS  (RC); 


PROGRAM  READIR; 

DECLARE 

WORD  (CLASS,  CAT,  SEG_TYPE,  SIZE); 

/♦  IMPLEMENTATION  CHECKS 

/*  CHECK  THAT  SPECIFIED  SEGMENT  IS  A DIRECTORY 

IF  (AST_TYPE(ASTE#)  & AST  TYPE  MASK)  AST  TYPE  DIRECTORY: 
THEN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

/♦  GAIN  ACCESS  TO  THE  DIRECTORY 

IF  AST^ADB  (ASTE#)  = 0; 

THEN?  SHAPIN  ( ASTE#)  ; 

END; 


*/ 

*/ 


*/ 


LSD(ASTE#,  DIR_KSR_ADR,  S DR_READ_ ACCESS) ; 

/♦  CHECK  THAT  SPECIFIED  OFFSET  EXISTS 

IF  DlR_SIZE(OFFSFT)  = 0; 

THEN? 

..  RETURN  WITH  ERR  FLAG; 

END; 

/*  SAVE  CLASS,  CAT,  SSG^TYPE,  AND  SIZF 

CLASS  :=  niR_CLASS (OFFSET)  & DIR_CLASS  MASK; 

CAT  :=  DI  R_CAT  (OFFSET)  ; 

SEG_TYPE  :=  DIR_TYPE (OFFSET)  R DIR  TYPE_MASK; 

SIZE  :=  DIR_SIZ F (OFFSET) ; 

/♦  REGAIN  ACCESS  TO  USERS  SRO  STACK  AND  INSERT  DATA 

KSDR3  :=  SDRO; 

KSAR3  :=  SARD; 

CLASS_APARM  CLASS; 

CAT^APARM  :=  CAT; 

SEG_TYPE_APARM  :=  SEG  TYPE; 

SIZE^APARM  :=  SIZE; 

RC  :=  OK_FLAG; 
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3.2.20  Start  Process  (STARTP) 


The  Start  Process  CPC,  STARTP,  is  a user  level  external  SKCPP 
function  that  is  called  by  only  one  user  level  external  program,  the 
Executive  Process  with  the  parameters  process//  user,  project,  class, 
cat,  proc^of f set// , and  new_process//.  STARTP  calls  both  user  level 
external  functions  and  kernel  level  internal  functions.  It  is  written 
in  Project  SUE  System  Language,  including  the  Inline  feature. 

3.2.20.1  Description 

STARTP  initializes  a new  process  when  invoked  by  the  Executive 
Process.  If  PS_CURRENT_PROCESS  does  not  equal  EXEC_PROCESS// , it 
returns  with  ERR_FLAG.  Also,  if  PT_FLAGS (PROCESS//)  logical  and 
PT_FLAGS_tiASK  (the  FLAGS  and  LINK  entries  share  a byte)  is  not 
INACTIVE,  it  returns  ERR_FLAG. 

STARTP  then  calls  LSD  to  load  the  segment  descriptors  of  the 
new  process’s  process  segment  so  the  PS  can  be  initialized.  It  sets 
PS_CURRENT_PROCESS  to  PROCESS#,  PS_USER_ID  to  USER,  PS_PROJECT_ID  to 
PROJECT,  PS_CUR_CLASS  and  also  PT_CUR_CLASS  (PROJECT//)  to  CLASS, 
PS_CUR_CAT  and  also  PT_CUR_C AT  (PROCESS//)  to  CAT,  PSJiEM_QUOTA  to 
MEM_QU0TA,  and  PT_IPC_QUOTA  to  IPC_QU0TA.  STARTP  uses  Inline  code  to 
find  MASK  and  NOTMASK,  it  moves  the  process#  to  register  3,  decre- 
ments it,  and  negates  it.  Then,  registers  0 and  1 are  set  to  400016 
(all  0’s  except  the  second  bit,  bit  14)  and  BFFF]^g  (all  I’s  except 
the  second  bit),  respectively.  It  then  performs  an  ASH  to  shift 
arithmetically  the  contents  of  registers  0 and  1 N places,  where  N 
is  the  number  in  register  3.  If  N is  positive,  a left  shift  is  per- 
formed, and  the  low  order  bits  are  filled  in  with  0’s;  if  N is  nega- 
tive, a right  shift  is  performed  and  bit  15  is  replicated.  Since 
register  3 contains  1 - PROCESS//,  the  result  in  register  0 is  a 1 in 
the  bit  corresponding  to  the  process  number,  and  0’s  elsewhere,  the 
leftmost  bit  representing  process  0 and  the  rightmost,  process  15. 
Register  1 contains  the  one’s  complement  of  register  0 except  that 
for  process  0 it  contains  0’s  in  both  the  leftmost  and  the  rightmost 
bits.  Register  0 is  moved  to  PS_PROCESS_MASK  and  register  1 is 
moved  to  PS_PROCESS_NOTMASK,  which  are  used  in  accessing  AST_CPL  and 
AST_WAL.  STARTP  then  sets  each  PS_SAR(I)  and  PS_SDR(I)  to  0,  as  I 
goes  from  0 to  15.  Also,  with  I starting  at  0 until  I equals 
SEG//_MAX,  PS_SEG(I)  is  set  equal  to  I + 1 logical  or  SEG_FLAG, 
placing  all  segment  numbers  on  the  free  segment  chain.  Assigning 
PS_SEG(SEG//_MAX)  the  value  SEG__FLAG  marks  the  end  of  the  free  seg- 
ment chain  and  completes  the  insertion  of  the  process  segment  infor- 
mation. 


94 


START?  then  puts  ROOT  in  the  access  space  of  the  new  process. 

It  takes  segment  1 from  the  free  chain  by  letting  PS_SEG(0)  = 
PS_SEG(1)  and  assigned  to  it  ROOT__ASTE// . It  then  connects  the  new 
process  to  ROOT  by  resetting  AST_CPL(ROOT__ASTE//)  to  AST_CPL(ROOT_^ 
ASTE//)  logical  or  PS__PROCESS_MASK. 

Now,  access  to  user  and  kernel  stacks  are  provided  for  the  new 
process.  GETR  is  called  to  gain  read  access  to  the  process  directory 
directory  segment  specified  by  ROOT__ASTE// , PDD_OFFSET;  the  seg// 
returned  is  assigned  to  PDD__SEG//.  Next,  read  access  is  gained  to  the 
executive’s  process  directory  using  GETR;  similarly,  the  segment 
number  returned  is  assigned  to  PD_SEG//.  GETW  is  now  called  to  pro- 
vide write  access  to  a user  stack  identified  by  an  offset  into  the 
process  directory  of  PROCESS#.  START?  assigns  the  seg#  GETW  returns 
to  SS_SEG#.  This  segment  is  then  ENABLEd.  To  get  write  access  to 
the  kernel  stack  is  more  difficult  because  GETW  would  fail.  First, 
the  segment  descriptors  of  the  process  directory  are  loaded  with  LSD. 
START?  then  sets  KS_ASTE#  to  the  aste#  of  the  PROCESS#_MAX  + PROCESS# 
entry  to  the  process  directory:  DIR_DISK  holds  the  disk  address  of 
the  entry  and  HASH  converts  this  to  an  AST  entry  number.  If  KS_ASTE# 
is  0,  START?  halts.  Otherwise,  the  segment  descriptors  of  the  seg- 
ment identified  by  KS_ASTE#  are  loaded,  the  AST_pES_COUNT(KS_ASTE#) 
is  incremented,  and  PT_KS_ASTE# (PROCESS#)  is  set  equal  to  KS_ASTE//. 

START?  now  calls  DCONNECT  to  release  from  the  WS  some  inter- 
mediate directories,  the  process  directory  directory  and  the  process 
directory.  It  invokes  GETR  to  gain  read  access  to  the  code  directory 
identified  by  ROOT_ASTE#,  CD_OFFSET  and  assigns  its  segment  number 
to  CD_SEG#.  Next,  it  calls  GETR  to  gain  access  to  the  segment, 
PS_SEG(CD_SEG#) , PROC_OFFSET,  and  assigns  its  segment  number  to 
PROC_SEG#.  A call  to  ENABLE  places  PROC_SEG//,  which  contains  the 
new  process’s  initial  code  segment,  in  the  AS.  The  code  directory, 
CD_SEG#  can  now  be  released  by  DCONNECT. 

START?  then  calls  LSD  to  switch  back  to  the  executive  process 
by  loading  the  descriptors  of  its  process  segment  in  the  register  at 
?S_KSR_ADR.  LSD  is  called  again  to  load  the  segment  descriptors  of 
the  new  process  to  give  the  executive  process  write  access  to  its 
process  segment. 

Setting  ?T_R5 (PROCESS#) , a general  register,  equal  to  zero, 
?T_FLAGS (PROCESS#)  to  READY,  and  PT_1PC_QUEIJEJE[EAD  to  zero,  completes 
the  initialization  of  the  new  segment.  START?  returns  with  RC  equal 
to  OK  FLAG. 


95 


Function:  START? 

Parameters : START?  (process#,user , project , class , cat  ,new_j)rocess// , 

proc_off  set//)  ; 

Effect: 

IF  (process#  i EXECUTIVE_?ROCESS#)  1 

(?T_FLAGS (new_j)rocess#)  ^ INACTIVE); 

THEN:  RC (process#)  = NO; 

ELSE:  ?S-USER__ID  (new_process#)  = user; 
?S_?ROJECT__ID(new_j)rocess#)  = project; 

?S_CLASS  (newjrocess#)  = class; 

?S__CAT  (new-process#)  = cat; 

?S_MEM_QUOTA(new_jprocess#)  = MEM_QUOTA; 

?S_I?C(new_j)rocess//)  = I?C_QUOTA; 

(Vreg#) 

IF  (REG#__MIX  < reg#  < REG#_MAX)  ; 

THEN:  ?S_SAR(new_j)rocess#,reg#)  = 0; 

?S__SDR(new_process#,reg//)  = 0; 

END; 

(Vseg#) 

IF  (SEG#_MIX  < seg#  < SEG#_MAX)  ; 

THEN:  ?S_SEG_INUSE(new__process#,seg#)  = FALSE; 

?S_SEG  (new_j)rocess# , seg#)  = 

(seg#+l)MODULO(SEG#_MAX+l) ; 

END; 

?S_SEG(new_j)rocess#,0)  = ?S_SEG(new_jprocess# , 1)  ; 
?S_SEG(new_j)rocess# , 1)  = R00T__ASTE# ; 
AST__C?L(ROOT__ASTE#,new_j)rocess#)  = TRUE: 
GETR(new_process#,ROOT__ASTE,?DD_OFFSET#)  ; 

Let  pdd_seg//  = RC  (newjrocess//)  ; 

GETR(new_j)rocess#,?S__SEG(new_j)rocess# ,pdd__seg#)  , 

EXECUTIVE  PROCESS#); 

Let  pd_seg//  = RC  (new_j)rocess//)  ; 

GETW(new_process#,  ?S_SEG  (newjrocess#  ,pd_seg//)  , 
newjrocess//)  ; 

Let  stack_seg#  = RC(new_j)rocess#)  ; 

ENABLE (newjrocess# , ?S__SEG  (newjrocess # , 
stack_seg#),  STACK__REG#)  ; 

DCONNECT  (new_j)rocess#  ,?S__SEG(new_j)rocess# , 
pdd^seg#)  ,pdd__seg#)  ; 

GETR (new_p  r o ce  s s # , R00T_ASTE# , CD_0FFSET # ) ; 

Let  cd_seg#  = RC  (newjrocess#)  ; 

GETR(new_process#  ,?S__SEG(new_process# , 
cd__seg//)  ,proc_off  set#)  ; 

Let  proc^seg#  = RC  (new  process//)  ; 

ENABLE  (newjrocessT ,?S__SEG  (newjrocess# , 
proc_seg//)?ROC_REG//)  ; 
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DCOKNECT  (newjrocess//  ,PS_SEG  (new_process// , 
cd__seg//) , cd__seg//) ; 

PT_IPC_QUEUEJH[EAD(new_j?rocess//)  = 0; 

PT__FLAGS  (new_jprocess//)  = READY; 

END; 

3.2.20.2  N/A 

3.2.20.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By 

Calls 

PCHECK 

GETR 

GETW 

DCONNECT 

ENABLE 

HASH 

LSD 

3.2.20.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  STARTP.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  1,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Local  Parameters  Local  References 


PS_CURRENT_PROCESS 

PS_USER_ID 

PS_PROJECT_ID 

PS__CUR__CLASS 

PS_CUR_CAT 

PS__MEM__QUOTA 

PS__PROCESS_MASK 

P S_PR0C  E S S_N0TMAS  K 

PS_SAR 

PS__SDR 

PS_SEG 

PS_FLAG 

PT_FLAG 

PT__IPC_QUOTA 


USER 

PROJECT 

CLASS 

CAT 

PROCESS# 
PROC  OFFSET 


PDD_SEG# 

PD_SEG# 

CD__SEG# 

SS_SEG# 

KS_ASTE# 

PR0C_SEG# 

I 

DUMMY 

RC 
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Global  References 


Local  Parameters 


Local  References 


PT  KSDR2 

PT_R5 

PT_PS  ASTE# 

PT_KSDR1 

PT_IPC_QUEUE  HEAD 

Constants 

ASHROR3 

OK_FLAG 

ASHR1R3 

PDD_OFFSET 

CD  OFFSET 

PROCESS#  MAX 

DEC 

PS_KSR_ADR 

DIR_KSR_ADR 

PT  FLAGS  MASK 

ERR_FLAG 

PT_KDSR1_ADR 

EXEC  PROCESS# 

PT  KDSR2  ADR 

INACTIVE 

READY 

IPC_QUOTA 

ROOT_ASTE# 

MEM  QUOTA 

SDR__READ  ACCESS 

MOV 

SEG  "flags 

NEG 

3.2.20.5  Limitations 

SEG#  MAX 

START?  returns  ERR_FLAG  if  PS_CURRENT_PROCESS  does  not  equal 
EXEC_PROCESS#  or  if  PT_FLAGS  (PROCESS#)  and  PT_FLAGS_MASK  are  not 
INACTIVE.  Otherwise,  RC  = OKJFLAG. 

3.2.20.6  Listing 

D^■IA  STS^^TPtHSEE,  PROJECT,  CLASS,  CAT,  PROCESS*,  PROC_nFFSET)  RETURNS  (RC)  ; 


PROGRAM  STARTP; 

DECLARE 

WORD  (I,  PDD^SEG#,  PC_SFG#,  CD_SEG#,  SS_SEG#,  KS_ASTE#,  PROC^SEG#,  DUMMY); 

/*  ONLY  EXECUTIVE  CAN  CALL  THIS  FUNCTION 

IF  P.S_CaRRENT  PROCESS  EXEC  PROCESS#; 

THEN: 

RETURN  WITH  ERR  FLAG; 

END; 
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/♦  PROCESS  MUST  BE  FREE 

IF  (PT_FLAGS  (PROCESS#)  S PT  FLAGS_MASK)  -=  INACTIVE; 

THEN; 

•.  RETURN  WITH  ERR  FLAG; 

END; 

/♦  MAKE  "PARTIAL"  SWITCH  TO  USER  PROCESS 

LSD  (PT_PS_AST  Ft  (PROCESS#)  , PS_.KSR_ADR,  SDR_WR  ITE_ACCSSS)  ; 
/♦  INITIALIZE  PS 

PS_CURRENT_PROCESS  :=  PROCESS#; 

/♦  NEED  MASK  + NOTMASK 


INLINE(MOV,  PROCESS#,  0,  3); 
TNLINE(DFC,  0,  3)  ; 

INLINE  (NEG,  0 , 3)  ; 

INLINE(nOV,  2,  7,  0,  0,  "4000"); 
INLINE(MOV,  2,  1,  0,  1,  "DFFF"); 

INLINE  (ASHR0R3)  ; 

INLINE(ASHR1R3)  ; 

INLINF(MOV,  0,  0,  PS_  PROCE  S S_  M A SK ) ; 
INLINE(M0V,  0,  1,  PS_PROCFSS_NOTM ASK)  ; 
PS_nsER_ID  ;=  USER; 

PS~PROJECT_in  :=  PROJECT; 

PS_CUR_CLASS  ;=  CLASS; 

PT_CUr3cLASS  (PROCESS#)  ;=  CLASS; 
PS_C0R_CAT  :=  CAT; 

PT_CUR”cAT (PROCESS#)  :=  CAT; 
PS_MFri_QUOTA  :=  MEM_QUOTA; 

PT_IPC_QUOTA  (PROCESS#)  :=  TPC_QUOTA; 


DO  I :=  0 TO  15 
PS^SAR  (I) 
PS”SDR  (I) 

END; 


= 0; 
= 0; 


DO  I :=  0 TO  SEG#_MAX; 

PS_SEG(I)  :=”((!  + 1)  I SEG_FLAG); 

END  ; 

PS_SEG (SEG#_MAX)  :=  SEG_FLAG; 

/♦  POT  ROOT  INTO  "B" 

PS_SEG(0)  PS_SEG(1); 

PS_SEG(1)  :=  ROOT_ASTE#; 

AST_CPL  (ROOT_ASTE#)  :=  ( AST_CPL  (ROOT_ASTE#)  | PS_PPOCES S^MASK)  ; 

/*  GAIN  ACCESS  TO  STACKS 

/♦  FIRST  PDD 

PDD_SEG#  :=  GETR  (ROOT^ASTE#,  PDD^OEFSET); 


/*  NEXT  EXEC'S  PD 

PD_SEG#  :=  GFTP  (PS_SFG(Pnr_SFG#)  , EX  EC_PROCESS  #)  ; 

/♦  NOW  STACKS  - FIRST  S STACK 

SS_SEG#  :=  GETW  (PS_SEG(FD_SEG#)  , PROCESS#); 

DUMMY  ;=  ENABLE  (Ps”sEG (SS_SFG#)  , 0); 


*/ 


*/ 


*/ 


♦/ 


♦/ 


♦/ 


*/ 
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K STACK  IS  AWKWARD  BECAUSE  GETW  MUST  FAIL 


/* 


/♦  HOWEVER  EXEC  HAS  DONE  THE  GETW  AND  AN  ENABLE 

LSD  (PS^SEG  (PD_SEG#)  , DIR_KSP_AnR,  S DP_P  F A D_A  CC  ESS  ) ; 
KS_ASTE#  :=  HASH  (DIR_riSK  (PROCESS  #_f1AX  + PROCESS#)); 


IF  KS_ASTR#  = 0 ; 

THEN:  INLINF(O); 
END; 


LSD  (KS^ASTE#,  PT_KSDR2_AOR  + PROCESS#  ^ PROCESS#,  SnR_WRITE_ACCESS)  ; 
AST_DFS_COONT  (kS^ASTF#)  :=  AST_DE  S^COUNT  ( KS_  AS  TF.  #)  * 1; 

PT_KS_ASTE#  (PROCESS#)  KS_ASTE#;” 


/♦  CLEAN  UP  A BIT 


♦/ 

*/ 


♦/ 


DCONNECT ( PD_SFG#,  PS_SEG(PD_S  PG#)  ) ; 

DCONNECT  (PDD^SEG#,  PS_S EG (PCD_S EG#)  ) ; 

/*  NOW  FOR  INITIAL  PROC  ♦/ 

CD_SEG#  :=  GETR  (ROOT_ASTF  #,  CD_OFFSET)  ; 

PPOC_.SEG#  :=  GETR  (PS_SEG(CD_SEG#)  , PROC^OFFSET)  ; 

DUflHY  :=  ENABLE  (PS^SEG  (PROC'SEG#)  , 2); 

DCONNECT  (CD_SEG#,  PS_SEG  (CD_SEG  #)  ) ; 

/*  SWITCH  BACK  TO  EXECUTIVE  */ 

LSD  (PT_PS_ASTE#  (EXEC_PROCESS#)  , PS_KSR_ADR,  SDR_WRITE_ACCESS)  ; 

LSD  (PT_Ps2aSTP#  (PROCESS*)  , PT_KSDrT_ADR  PROCESS#  PROCESS#,  S DR_W  R ITE_  ACCE  SS)  ; 
PT_R5  (PROCESS#)  :=  0; 


PT_FLAGS (PROCESS#)  :=  READY; 
FT_IPC_OU FUF_HEAD (PROCESS# ) 0; 

PC  OK_FLAG; 


3.2.21  Change  Object  (CHANGED) 


The  Change  Object  CPC,  CHANGEO  is  a user  level  external 
SKCPP  function  that  is  called  by  one  user  level  external  program, 
the  executive  process,  with  the  parameters  process#,  aste#,  offset, 
class  and  cat.  CHANGEO  calls  only  kernel  level  Internal  functions. 
It  is  written  in  Project  SUE  System  Language. 


3.2.21.1  Description 


CHANGEO  alters  the  classification  and  category  of  a data  segment 
according  to  the  specification  of  a trusted  subject.  First,  it 
checks  that  the  calling  process  is  indeed  trusted.  If  PS_CURRENT_ 
PROCESS  is  not  EXEC_PROCESS#,  ERR_FLAG  is  returned.  Also,  if 
WRITEDIR(ASTE#)  does  not  return  0K_FLAG,  CHANGEO  returns  ERR_FLAG: 
the  process  must  have  write  access  to  the  parent  segment,  which  must 
be  a directory.  The  Implementation  requirement  is  that  the  segment 
whose  attributes  are  to  be  changed  must  exist;  if  DIR_SIZE (OFFSET) 
is  zero,  it  returns  ERR_FLAG.  Next,  CHANGEO  must  insure  that  the 
segment  is  not  in  the  WS  of  any  process.  It  sets  OASTE#  to  the 
aste#  which  HASH  associates  with  DIR_DISK (OFFSET) , the  disk  address 
of  the  segment.  If  OASTE#  is  0,  the  segment  is  Inactive  and  by 
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definition  is  not  in  the  WS  of  any  process.  Also  if  AST__CPL  logical 
and  WIRED_DOWN_NOTMASK  - the  wired  down  bit  shares  a word  with  the  CPL 
equals  0,  it  is  not  connected  to  any  process.  If  neither  of  these 
conditions  holds,  some  process  has  the  segment  in  its  WS,  so  the 
segments  attributes  cannot  be  changed:  ERR_FLAG  is  returned.  Also 
if  DIR_TYPE (OFFSET)  and  DIR_TYPE_MASK  equals  DIR_TYPE_DIRECT0RY , 
CHANGED  returns  with  ERR_FLAG.  Finally,  the  compatibility  rule  that 
security  levels  must  be  nondecreasing  as  one  moves  down  in  the 
hierarchy  is  implemented.  If  CLASS  is  less  than  AST_CLASS (ASTE#) 
logical  and  AST_CLASS_MASK,  the  classification  of  the  parent,  or 
if  the  CAT  set  does  not  equal  logical  or  AST_CAT(ASTE#) , CHANGEO 
returns  with  ERR_FLAG. 

Otherwise,  checking  is  complete.  DIR_CLASS (OFFSET)  is  reset  to 
the  logical  or  of  CLASS  and  the  logical  and  of  DIR_CLASS (OFFSET) 
and  DIR_CLASS_NOTMASK,  changing  the  class  without  affecting  the  type 
and  status  bits.  DIR_CAT (OFFSET)  is  assigned  the  value  of  CAT.  If 
the  segment  is  active,  that  is,  if  OASTE#  is  not  equal  to  zero, 
ASTE_CLASS  (OASTE#)  and  AST_CAT (OASTE#)  must  be  changed  also;  they 
are  set  equal  to  DIR_CL ASS (OFFSET)  and  DIR_CAT (OFFSET) . RC  is 
set  to  OK_FLAG  and  CHANGEO  returns. 

Function  CHANGEO 

Parameters : CHANGEO (process# , as te#, of f set , class , cat) ; 

Effect : 

IF  (PS_TYPE (process#)  + TRUSTED)! 
not  AST_WAL(aste#, process#) I 
(Ast_TYPE(aste#)  + DIRECTORY! 

(DIR_SIZE(aste#, offset)  = o! 

(HASH (DIR_DISK(aste#, offset#))  ^ 0 I 
(DIR_TYPE(aste#,offset#)  ^ DIRECTORY! 

(cat  ^AST_CAT  '(aste#)  ) ! 

(class  < AST_CLASS (aste#) ; 

THEN:  RC (process#)  = NO; 

ELSE:  DIR_CLASS(aste#)  = class; 

DIR_CAT(aste#)  = cat 
RC (process#)  YES; 

END; 

3.2.21.2  N/A 

3.2.21.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
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Calls 


Called  By 

PCHECK  WRITEDIR 

HASH 


3.2.21.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  CHANGED.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References 

P S_CURRENT_PROCES  S 

DIR_SIZE 

DIRJTYPE 

DIR_CLASS 

DIR_CAT 

AST_CPL 

AST_CLASS 

AST  CAT 


Local  Paremeters 

ASTE# 

OFFSET 

CLASS 

CAT 


Local  References 

OASTE// 

RC 


Constants 


AST_CLASS_MASK 

DIR_CLASS_NOTMASK 

DIR_TYPE 

DIR_TYPE_DIRECTORY 

DIR_TYPE_MASK 

3.2.21.5  Limitations 


ERR_FLAG 

EXEC_PROCESS// 

INACTIVE 

OK_FLAG 

WIRED  DOWN  MASK 


CHANGED  returns  ERR_FLAG  if  PS_CURRENT_PROCESS  does  not 
equal  EXEC_PROCESS#,  if  the  intended  parent  segment  is  a directory 
to  which  the  process  does  not  have  write  access,  if  the  segment 
does  not  exist  in  main  memory,  if  the  segment  is  in  the  WS  of  some 
process,  if  the  segment  is  a directory,  or  if  the  category  set  is 
less  than  classification  of  the  parent  segment.  Otherwise,  RC  = OK  FLAG. 

3.2.21.6  Listing 


DATA  CHAMGKO  (A  , OFFSET,  CLASS,  CA,T)  RETURNS 


(HC)  ; 
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PROGRAM  CHANGEO; 

DECLARE 

WORD  (OASTE#)  ; 

/*  SECtIRITY  CHECKS 

/♦  ONLY  TRUSTED  SUBJECTS  CAN  USE  THIS  FUNCTION 

IF  PS_CURRENT_PROCE  SS  -•=  FXEC_PROCESS#  ; 

THEN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

/♦  INTERPRETIVE  DIRECTORY  WRITE  CHECK 

IF  WR ITEDIR  (ASTE#) 

THEN  : 

....  RETU^’N  WITH  FRP_FLAG; 

END; 

IF  DIR_SIZE  (OFFSET)  ^ 0; 

THFN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

/♦  IF  OBJECT  IS  INACTIVE  THEN  NO  NEED  TO  DO  SECURITY  E ♦ -PROPERTY  CHECK 
OASTE#  HASH(DIR_DISK(OFFSi=’T)  ) ; 

IF  (OASTE#  -=  0)  Tr  ( (AST_CPL(OASTE#)  & WIP ? D_DOWN_NOTN A SK)  -=  0); 

THEN: 

RETURN  WITH  ER REFLAG; 

END; 

/*  COaPATABILlTY  CHECK  SIMPLIFIED  IF  OBJECT  IS  NOT  A DIRECTORY 

IP  (DIR_TYPE  (OFFSET)  B DI  3_T  YPE^MASK)  = DIR_TYPF_DIR ECTOR Y ; 

THEN: 

RETURN  WITH  EER_FLAG; 

END; 

IF  CLASS  < (AST^CLASS  (ASTE#)  G AS  T_C  LAS  S_MA  SK)  ; 

THEN; 

....  RETURN  WITH  ERR^FLAG; 

END; 

IP  CAT  -=  (AST_CAT  (ASTE#)  I CAT); 

THEN; 

RETURN  WITH  ERP_FLAG; 

END; 

/♦  CHECKING  COMPLETE  - PERFORM  STATE  CHANGE 

DIR  CLASS  (OFFSET)  :=  ( (DI  R_C  LASS  (OFFSET)  G DI  R_CLASS_NOTH  ASK)  | CLASS); 

DIrIcAT(OFFSET)  ;=  CAT; 


*/ 

♦/ 


*/ 


♦/ 


♦/ 


/* 


IF  WIRFD  DOWN  CHANGE  ASTE  CLASS  AND  CAT  ALSO 


♦/ 


♦/ 


IF  OAST"^#  -=  0; 

THEN;  AST_CLASS  (OASTE#)  :=  DIP_CLASS  (OFFS  ET  ) ; 
AST_CAT  (OASTE#)  :=  CAT; 

END; 

RC  : = OK_FLAG; 
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3.2.22  Initialize  Hierarchy  (INITH) 


The  Initialize  Hierarchy  CPC,  INITH,  is  a user  level  external 
SKCPP  function  that  is  called  by  only  one  user  level  program,  the 
executive  process.  INITH  calls  only  kernel  level  internal  functions. 
It  is  written  in  Project  SUE  System  Language. 

3.2.22.1  Description 

INITH  allows  the  executive  process  to  set  up  the  directory 
structure  at  system  initialization;  it  copies  the  attributes  of 
a specified  ASTE  into  a specified  directory  entry. 

It  checks  that  the  calling  process  is  trusted  and  that  the 
directory  aste#  parameter  supplied  identifies  a directory  to 
which  the  process  has  write  access.  If  PS_CURRENT_PROCESS  does 
not  equal  EXEC_PROCESS#  or  if  WRITEDIR  (DASTE#)  does  not  return 
ERR_FLAG,  INITH  returns  with  ERR_FLAG.  It  also  requires  that  the 
directory  entry  specified  be  empty:  if  DIR_SIZE (OFFSET)  is  not 
zero , it  returns  with  ERR_FLAG. 

If  the  security  and  implementation  requirements  have  been 
satisfied,  it  performs  the  state  change.  DIR_CLASS (OFFSET) , 

DIR_CAT (OFFSET) , DIR_DISK (OFFSET)  and  DIR_SIZE (OFFSET)  are  assigned, 
respectively,  the  values  of  AST_CLASS (ASTE#) , AST  DISK 
and  AST_SIZE(ASTE#) . Setting  DIR_ACL_HEAD (OFFSETJ  to  zero  empties 
the  access  control  list  and  completes  the  procedure.  INITH  returns 
with  RC  set  equal  to  OK_FLAG. 

Function:  INITH 

Parameters : INITH  (process// , daste// , offset# , aste#) 

Effect: 

IF  (PS_TYPE  (process#)  TRUSTED  I 

not  AST_WAL(daste#) I 
(ASTJTYPE  (daste#)  DIRECTORY  I 

6iR_SIZE  (daste#,  off  set#)  ^ 0; 

THEN:  RC (process#)  = NO; 

ELSE:  DIR_CLASS (daste#, off set#)  = AST_CLASS (aste#) ; 

DIR_CAT (daste#, off set#)  = AST_CAT (aste#) ; 

DIR_DISK(daste#, offset#)  = AST_DISK(aste#) ; 

DIR_SIZE (daste#, offset#)  = AST_SIZE (aste#) ; 

DIR_ACL_HEAD (daste#, off set#)  = 0; 

RC (process#)  = YES 

END; 

3.2.22.2  N/A 
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3.2.22.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
Called  By  Calls 

PCHECK  WRITEDIR 

3.2.22.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  INITH.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Functional  Parameters  Local  References 

P S_CURRENT_PROCES  S 
DIR_CLASS 
DIR_CAT 
DIR_SIZE 
DIR_DISK 

Constants 

ERR__FLAG 
EXEC_PROCESS# 

OK_FLAG 

3.2.22.5  Limitations 

INITH  returns  ERR_FLAG  if  PS_CURRENT_PROCESS  does  not  equal 
EXEC_PROCESS#,  if  the  directory  entry  specified  is  not  empty,  or 
if  the  intended  parent  segment  is  a directory  to  which  the  process 
does  not  have  write  access.  Otherwise,  RC=OK_FLAG. 

3.2.22.6  Listing 


DATA  I'lITH  (DAST^#,  OFPSKT,  ASTK#)  RDTOFNS  (RC)  ; 


BASTE//  RC 

OFFSET 

ASTE// 
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PROGRAM  INITH; 


/♦  SECflHITY  CHECKS 

/♦  ONLY  TRUSTED  SUBJECTS  CAN  USE  THIS  FUNCTION 

IF  PS_CUR  RENT^PPOCESS  -*=  F XFC^PROCESS  t ; 

THEN: 

. RETURN  WITH  ERR_FLAG; 

END; 

/♦  IN  TERPR  E'^I  VE  DIRECTORY  WRITE  CHECK 

IE  WP ITEDIR  (DASTE#)  OK^FLAG; 

THEN: 

. RETURN  WITH  ER REFLAG; 

END; 

/♦  IMPLEMENTATION  CHECKS 

IF  niR_S IZE (OFFS ET)  -=  0; 

THEN: 

RETURN  WITH  EPR^FLAG; 

END; 

/.  PPRrORtl  STATE  CHANGE  - COPY  ASIE  ATTRIBUTES  INTO  DIRECTORY  ENTRY 

DIR_CLASS  (OFFSET)  :=  AST_CLASS  ( ASTE#)  ; 

DIR  CAT(OFFSET)  :=  A ST_CA  T (ASTE  #)  ; 

DIRIdISK(OPFSET)  ;=  AST.DISK  (ASTE#)  : 

DIR  SIZE(OFFSFT)  :=  AST_S IZE  ( ASTE#)  ; 

DIrIacL_HEAD(OFFSET)  :=  0; 

RC  :=  OK^FLAG; 


♦ / 


*/ 


*/ 


3.2.23  Get  Directory  (GETDIR) 

The  GET  Directory  CPC,  GETDIR,  is  a kernel  level  internal  SKCPP 
function  that  is  called  by  a user  level  external  function.  GETDIR 
calls  only  kernel  level  internal  functions-  It  is  written  in  Project 
SUE  System  Language. 

3.2.23.1  Description 

GETDIR  insures  that  a directory  segment  is  swapped  into  main 
memory  and  can  be  accessed.  If  AST_ADR(ASTE//)  is  zero,  the  ASTE// 
supplied  identifies  a segment  not  in  main  memory;  SWAP IN  is  called 
to  swap  the  segment  in.  LSD  is  then  called  to  load  the  segment 
descriptors  in  the  register  at  DIR_KSR_ADR  to  provide  write  access 
to  the  segment . 


106 


Function : GETDIR 
Parameters : GETDIR  (as  te//) 

IF  AST_ADR  - 0 
THEN:  SWAP IN; 

LSD; 

AST_CHANGED; 

ELSE:  LSD; 

AST_CHANGED: 

END; 


3.2.23.2  N/A 


3.2.23.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By  Calls 

DELETE  SWAPIN 

LSD 


3.2.23.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  GETDIR.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 

Global  References  Function  Parameters  Local  References 

AST_ADR  ASTE#  None 

Constants 


DIR_KSR_ADR 

SDRJWRITE_ACCESS 

3.2.23.5  Limitations 
None. 

3.2.23.6  Listing 


DATA  GETDIR  (ASTE#)  ; 
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PRCGRAH  GETDIR; 


/♦  LOAD  SEGMENT  DESCRIPTOR  FOR  DIRECTORY 

IF  AST_ADR(ASTE#)  = 0; 

THEN?  SWAPIN(ASTE#) ; 

END; 

LSD(ASTE#,  DIR_KSR_ADR,  SDR_WRITE_ACCESS) ; 

3.2.24  Write  Directory  (WRITEDIR) 

The  Write  Directory  CPC,  WRITEDIR,  is  a kernel  level  internal 
SKCPP  that  is  called  by  user  level  external  functions.  WRITEDIR 
ca,XXs  kernel  level  internal  functions.  It  is  written  in  Project 
SUE  System  Language. 

3.2.24.1  Description 

WRITEDIR  makes  security  and  implementation  checks,  and  if  con- 
straints are  met,  provides  access  to  a specified  directory.  It 
returns  ERR_FLAG  if  AST_TyPE(ASTE#)  logical  and  ASTJTYPEJiASK  does 
not  equal  AST_TYPE_DIRECTORy : that  is,  if  the  segment  supplied  is 
not  a directory.  If  ASTJWAL(ASTE#)  logical  and  PS_JPROCESS_MASK, 
which  contains  all  0’s  except  a 1 in  the  bit  corresponding  to  the 
process//,  is  zero,  it  returns  with  ERR_FLAG. 

If  these  requirements  are  satisifed,  it  makes  certain  that  the 
segment  is  in  main  memory.  If  AST_ASR(AST//)  , which  holds  the  main 
memory  address  of  the  segment,  is  zero,  WRITEDIR  calls  SWAPIN  to 
swap  the  segment  into  main  memory.  Next,  it  calls  LSD,  which  loads 
the  descriptors  of  the  directory  in  the  register  located  at 
DIR_KSR_ADR  with  access  mode  SDR_WRITE_ACCESS.  Since  write  access 
to  the  directory  has  been  gained,  the  directory  will  be  changed,  so, 
to  insure  that  the  segment  will  be  copied  onto  the  disk  when  it  is 
swapped  out,  the  change  bit  is  set.  WRITEDIR  lets  AST_CHANGE (ASTE//) 
equal  AST_CHANGE(ASTE//)  logical  or  AST_CHANGED.  Setting  RC  equal 
to  0K_FLAG,  it  returns. 

Function:  WRITEDIR 

Paremeters:  WRITEDIR  (aste//) 

Effect: 

IF  (ASTJTYPECaste//)  ^ DIRECTORY)! 

(AST_WAL(aste//)  ^ 0) 


♦/ 
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THEN:  RC(TCP)  = NO; 

ELSE:  RC(TCP)  = YES 
IF  AST_ADR  = 0; 

THEN:  SWAPIN: 

LSD; 

AST_CHANGED; 

ELSE:  LSD; 

AST_CHANGED; 

END; 

END: 

3.2.24.2.  N/A 

3.2.24.3.  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  Paragraph  3,4, 

Called  By  Calls 

CREATE  SWAPIN 

DELETE  LSD 

GIVE 

RESCIND 

CHANGO 

INITH 

3.2.24.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  WRITEDIR.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

PS_PROCESS_MASK  ASTE#  RC 

AST_ADR 

ASTJTYPE 

ASTJWAL 

AST_CHANGE 

Constants 


AST  CHANGE 
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Constants  cont 


ASTjrYPEJ)IRECTORy 

AST__KSR_ADR 

ERR__FLAG 

OK_FLAG 

SDRJWRITE_ACCES  S 

3.2.24.5  Limitations 

WRITEDIR  returns  ERR__FLAG  if  the  segment  supplied  is  not  a 
directory,  or  if  the  process  does  not  have  write  access  to  the 
directory.  Otherwise,  RC  = OK^JFLAG. 

3.2.24.6  Listing 


DATA  WRITBDIR  (ASTE#)  RETURNS  (RC); 

PROGRAH'  HRITEDIR; 

/♦  CHECKS  THAT  SPECIFIED  SEGMENT  IS  A DIRECTORY  AND  THAT  IT  IS  IN  CURRENT  ♦ 

♦ PROCESS'S  B IN  WRITE  MODE  V 

IF  (AST_TYPE(  ASTEi)  5 AST_TT  PE_M  ASK  ) '•=  AST_T  YPE^DIRECTORY  ; 

THEN;” 

RETURN  WITH  ERR^FLAG; 

END; 

IF  (AST_HAL(ASTE#)  & PS_PROCESS_N  ASK)  = 0; 

THEN; 

....  RETURN  WITH  FRR^FLAG; 

END; 

IF  AST_ADR(ASTE«)  = 0; 

then!  SWAPIN(ASTE#) ; 

END; 

/♦  GAIN  ACCESS  TO  THE  DIRECTORY 

LSD  (ASTE#,  DIR_KSR_ADP,  SDR_iRITE_ACCESS)  ; 

/♦  DIRECTORY  WILL  BE  CHANGED  - SET  CHANGE  BIT  */ 

AST_CHANGE  (ASTE#)  :=  (AST_CHA  NGE  ( ASTE#)  | AST_CHANGED)  ; 

RC  7=  0K_FLAG; 

3.2.25  Delete  Segment  (DELETSEG) 

The  Delete  Segment  CPC,  DELETSEG,  is  a kernel  level  internal 
SKCPP  function  that  is  called  by  a user  level  external  function. 

DELETSEG  calls  only  kernel  level  internal  functions.  It  is  written 
in  Project  SUE  System  Language. 
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3.2.25.1  Description 


DELETSEG  deletes  a data  segment  or  an  empty  directory  segment. 
First,  it  removes  any  elements  that  may  be  on  the  ACL  for  the 
segment.  It  sets  INDEX  equal  to  DIR_ACL_HEAD (OFFSER) . If  INDEX  is 
not  zero,  there  are  some  ACL  elements  to  be  removed.  Until 
ACL_CHAIN (INDEX) , which  holds  the  acle#  of  the  next  element  in  the 
list,  equals  zero,  INDEX  is  reset  to  ACL_CHAIN (INDEX) . ACL_CHAIN 
(INDEX)  is  then  set  to  ACL_CHAIN(0) , linking  the  end  of  the  ACL 
to  the  head  of  the  free  chain,  and  ACL_CHAIN(0) , the  pointer  to  the 
free  acle  chain,  is  set  to  DIR_ACL_HEAD (OFFSET) . Setting  DIR_ACL_ 
HEAD (OFFSET)  to  0 completes  the  transfer  of  the  ACL  to  the  free 
chain . 

DELETSEG  then  calls  SOADD,  which  removes  the  segment  from  the 
WS  of  any  process  whose  access  rights  have  been  rescinded.  Since 
the  segment’s  ACL  has  just  been  emptied,  SOADD  removes  the  segment 
from  all  WS’s. 

If  the  segment  to  be  deleted  is  active  (aged,  now),  it  must 
be  deactivated.  When  HASH  is  called  with  a parameter  of  DIR_DISK 
(OFFSET),  which  contains  the  disk  address  of  the  segment,  it  returns 
the  aste#  of  the  segment.  This  value  is  assigned  to  OASTE//.  If 
OASTE#  is  non-zero,  the  segment  is  active  and  eligible  for  deactiva- 
tion. The  change  and  status  bits  are  zeroed  by  letting  AST^CHANGE 
(OASTE//)  equal  AS T_CHAIN (OASTE//)  logical  and  AST_UNCHANGED_MASK 
and  AST_STATUS  (OASTE//)  equal  AST_STATUS  (OASTE//)  logical  and 
AST_STATUS_NOTMASK.  DEACT  is  then  called  to  swap  the  segment  out 
of  main  memory,  if  necessary,  and  move  its  aste  from  the  list  of 
segments  eligible  for  deactivation  to  the  list  of  free  aste’s. 

DELETSEG  then  calls  DFREE  to  free  the  disk  space  occupied  by  the 
segment.  It  sets  D IR_D I SK (OFFSET)  and  DIR_SIZE (OFFSET)  to  zero  to 
mark  the  directory  entry  free.  Finally,  DELETSEG  sets  the  change 
bit  in  the  parent  directory  so  it  will  be  copied  onto  the  disk  when 
swapped  out  of  main  memory:  AST__CHANGE(ASTE//)  is  set  equal  to 
AST_CHANGE(ASTE//)  logical  or  AST_CHANGED.  It  then  returns  control 
to  the  calling  program. 

Function : DELETSEG 

Parameters : DELETSEG  (aste//,  offset) 

Effect: 

IF  ’DIR_ACL_HEAD’ (aste//,  offset)  ^ 0; 

THEN:  Let  acle//  = FINDEND (aste// , ’DIR_ACL_HEAD’ (aste//,  offset); 

ACL_CHAIN(aste//,  acle//)  = ’ACL_CHAIN’ (aste//,  0); 
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ACL_CHA.IN(aste#,  0)  = 'DIR_ACL_HEAD’ (aste#,  offset); 
SOADD(aste#,  offset); 

END; 

IF  HASH('DIR_DISK' (aste#,  offset))  4 0); 

THEN:  DEACTIVATE (HASH (’DIR_DISK’ (aste#,  offset))); 

END; 

DISK_FREE(’DIR_DISK’ (aste#,  offset,  ’DIR_SIZE' (aste#, 
offset))  ) ; 

DIR_SIZE(aste#,  offset)  = 0; 

3.2.25.2  N/A 

3.2.25.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  In  paragraph  3.4. 


Called  By  Calls 

DELETE  SOADD 

DFREE 

DEACT 

HASH 


3.2.25.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DELETSEG.  For  data  base  references 
refer  to  Figure  5,  Data  Base  References  Matrix,  In  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

ACL_CHAIN  ASTE#  OASTE# 

ACL_CHANGE  INDEX 

DIR_ACL_HEAD 

DIR_DISK 

DIR_SIZE 

Constants 

AST_CHANGE 
AST_STATUS_NOTMASK 
AS  T_UNCHANGED_MASK 
BMT_SIZE2_ADR 
ERR  FLAG 
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3.2,25.5  Limitations 


None 


3.2.25.6  Listing 


DATA  DELETSEG(ASTEi,  OFFSET); 

DECLARE 

PROCEDURE  ACCEPTS  (WORD,  WORD)  (DFREE)  ; 


PROGRAM  DELETSEG; 

DECLARE 

WORD  (INDEX,  OASTEi) ; 

/*  REMOVE  ANY  ELEMENTS  THAT  MAY  BE  ON  ACL  CRAIN  V 

INDEX  :=  DIR_ACL_HEAD (OFFSET) ; 

IF  INDEX  0; 

THEN: 

CYCLE 

EXIT  WHEN  ACL_CHAIN  (INDEX)  = 0; 

INDEX  :=  ACL_CHAIN  (INDEX)  ; 

END; 

ACL_CHAIN(INDEX)  ACL_CHAIN (0)  ; 

ACl”cHAIN(0)  :=  DIR_ACL_READ  (OFFSET)  ; 

DIrIaCL^HEAD  (OFFSET)  :=  0; 

END; 

/♦  NOW  BUMP  EVERYBODY  OFF  V 

SOADD(ASTE#,  OFFSET); 

/♦  DEACTIVATE  IF  ASTE#  OF  OFFSET  (OASTE#)  IS  AGED  ♦/ 

OASTE#  :=  HASH  (DIR_DISK (OFFSET)  ) ; 

IF  OASTE#  0; 

THEN: 

/♦  SET  CHANGE  BIT  TO  UNCHANGED  AND  STATUS  BIT  TO  INITIALIZED  ♦/ 

AST_CHANGE  (OASTE#)  :=  (AST  CHANGE  (OASTE#)  S AST_ONCHANGED_BASK)  ; 

AST_STATDS  (OASTE#)  :=  (A  ST^STATUS  (OASTE  #)  S AST.ST  ATUS^NOTM  ASK)  ; 

DEACT  (OASTE#)  ; 

END; 

/*  FREE  DP  RESOURCES  - DISK  SPACE  AND  DIRECTORY  ENTRY  • ♦/ 

DFREE  (DIR_DISK  (OFFSET)  , BMT_SI2E2_ADR)  ; 

DIR_DISK  (OFFSET)  :=  0; 

DIr”sTZE(OFFSET)  :=  0; 

/*  SET  CHANGE  BIT  IN  PARENT  */ 

AST_CHANGE(ASTE#)  :=  (AST_C RANGE ( ASTE# ) | AST^CHANGED ) ; 
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3.2.26  Connect  (CONNECT) 


The  Connect  CPC,  CONNECT,  is  a kernel  level  internal  SKCPP 
function  that  is  called  by  user  level  external  functions.  CONNECT 
calls  only  kernel  level  internal  functions.  It  is  written  in  Project 
SUE  System  Language. 

3.2.26.1  Description 

CONNECT  connects  a process  to  a segment,  putting  the  segment 
in  the  WS  of  the  process.  It  is  subject  to  two  implementation 
constraints.  It  sets  SEG#  to  PS_SEG(0)  logical  and  SEG_MASK.  If 
SEG#  equals  zero,  there  are  no  free  segment  numbers,  and  CONNECT 
returns  with  ERR_FLAG.  It  then  insures  that  the  segment  is  active. 

It  calls  HASH  which  returns  the  AST  entry  number  associated  with 
DIR_DISK (OFFSET) , the  disk  address  of  the  segment,  and  assigns  this 
value  to  ASTE#.  If  ASTE#  is  zero,  CONNECT  must  call  ACT  to  activate 
the  segment,  and  ASTE#  is  set  to  the  value  it  returns.  If  ASTE#  is 
non— zero,  showing  that  the  segment  is  already  active,  and  AST_CPL 
(ASTE#)  logical  and  PS_PROCESS_MASK  is  non- zero,  the  process  is 
already  connected  to  the  segment  so  CONNECT  returns  with  ERR_FLAG. 

Otherwise,  it  can  proceed  with  the  connection.  If  the  segment 
is  eligible  for  deactivation  it  must  be  removed  from  the  age  chain. 

If  AST_CPL(ASTE#)  is  0,  this  is  the  case.  To  find  the  segment's 
AST  entry  number  in  the  age  chain,  it  sets  INDEX  to  0 and  NEXT  to 
AST_AGE_CHAIN(0) , which  holds  the  head  of  the  age  chain.  Then, 
until  it  has  set  NEXT  to  ASTE#,  it  resets  INDEX  and  NEXT  to 
AST_AGE_CHAIN (INDEX) . Assigning  to  AST_AGE_CHAIN (INDEX)  the  value  of 
AST_AGE_CHAIN(ASTE#)  and  setting  AST_AGE_CHAIN(ASTE#)  to  0 removes 
the  segment  from  the  chain. 

CONNECT  now  performs  the  actual  connection  by  resetting 
AST_CPL(ASTE#)  to  AST_CPL(ASTE#)  logical  or  PS_PROCESS_MASK.  Since 
PS_PR0CESS_MASK  consists  of  all  0's  except  for  a 1 in  the  bit 
corresponding  to  the  process#,  this  sets  the  CPL  bit  for  the  process. 
If  the  MODE  is  WRITE$READ$EXECUTE_ACCESS , the  WAL  bit  for  the  process 
must  also  be  set.  CONNECT  accomplishes  this  by  resetting  AST_WAL 
(ASTE#)  to  AST_WAL (ASTE#)  logical  or  PS_PROCESS_MASK. 

To  complete  the  procedure,  PS SEG(0)  is  reset  to  PS SEG (SEG#) , 

which  removes  SEG#  from  the  free  segment  chain,  and  PS_SEG(SEG#) 
is  set  to  ASTE#.  This  allows  segment  numbers  to  be  mapped  onto  AST 
entry  numbers,  which  is  necessary  because  ASTE  numbers  are  system- 
wide variables  to  whose  values  users  can  not  have  access.  CONNECT 
returns  with  RC  set  to  the  SEG#  with  which  the  user  can  subsequently 
refer  to  the  segment. 
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Function:  CONNECT 

Parameters:  CONNECT  (process//,  daste//,  entry//,  mode) 

Effect : 

IF  'PS_SEG' (process//,  0)  = 0; 

THEN:  RC  (process//)  = NO; 

ELSE:  Let  flag  = 'HASH' (DIR_DISK (daste//,  entry//)); 

IF  (flag  0)  & 

'AST_CPL'  (flag,  process//)  ; 

THEN:  RC  (process//)  = NO; 

ELSE: 

IF  flag  ^ 0; 

THEN:  Let  aste//  = flag; 

IF  'AST_AGE'  (aste//)  = AGED; 

THEN:  UNAGE  (aste//)  ; 

END; 

ELSE:  ACTIVATE  (daste//,  entry//); 

Let  aste//  = HASH (DIR_DISK (daste//,  entry//)); 

UNAGED  (aste//)  ; 

END; 

AST_CPL(aste//,  process//)  = TRUE; 

IF  mode  = WRITE; 

THEN:  AST_WAL(aste//,  process)  = TRUE; 

END; 

Let  seg//  = 'PS_SEG' (process//,  seg//)  ; 

PS_SEG (process//,  0)  = 'PS_SEG' (process//,  seg//); 

PS_SEG (process//,  seg//)  = aste//; 

PS_SEG_INUSE (process//,  seg//)  = TRUE; 

RC  (process//)  = YES,  seg//; 

END; 

END; 

3.2.26.2  N/A 

3.2.26.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

GETW  ACT 

GETR  HASH 

3.2.26.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  function  CONNECT.  For  data  base  references 
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refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
*-®^stants  refer  to  Table  I,  List  of  Constants,  in -subparagraph 

3 • 3 • 2 • 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


PS_SEG  DASTE#  INDEX 

PS_PROCESS_MASK  OFFSET  NEXT 

AST_CPC  mode  SEG# 

AST_AGE_CHAIN  ASTE# 

AST_WAL  hash  VAL 

DIR  DISK  RP  “ 


Constants 

ERR_FLAG 

OFFSET_MAX 

OFFSET_MIN 

SEG_MASK 

WRITE$READ$EXECUTE_ACCESS 
3.2.26.5  Limitations 

CONNECT  returns  EFF_FLAG  if  there  are  no  free  segment  numbers 
or  if  the  process  is  already  connected  to  the  segment.  Otherwise, 

PP  =!  QVClJt  ^ ’ 


3.2.26.6  Listing 

DATA  CONNECT (DASTE#,  OFFSET,  MODE)  RETORNS  (RC) ; 


PROGRAM  CONNECT; 

< DECLARE 

WORD  (INDEX,  NEXT,  SEG#,  ASTE#,  HASH_VAL) ; 

/♦  FIND  A FREE  SEG#  */ 

SEG#  :=  (PS_SEG  (0)  & SEG_MASK)  ; 

IF  SEG#  = 0; 

THEN: 

RETURN  WITH  ERR  FLAG; 

EN  D ; 

/♦  DETERMINE  IF  SEGMENT  IS  ACTIVE  ♦/ 

ASTE#  :=  HASH  (DIR^DISK  (OFFSET)  ) ; 
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IF  ASTS#  = 0;  /♦  THEN;  MUST  ACTIVATE  ♦/ 

THEN:  ASTE#  :=  ACT(DASTE#,  OFFSET); 

E LS  E: 

IF  (AST_CPL  (ASTE#)  S PS_PFOCESS_MASK)  -=  0; 
THEN: 

BETORN  WITH  ERR^FLAG; 

END; 


END; 

/♦  ONAGE  IF  NECESSARY 

IF  AST_CPL  (ASTE#)  = 0; 

THEN;  INDEX  :=  0; 

CYCLE 

NEXT  :=  AST_AGE  CHA  IN  ( IN  DEX)  ; 

EXIT  iHEN  NEXT  = ASTE#; 

INDEX  :=  NEXT; 

END; 

AST_AGE_CHAIN (INDEX)  ;=  AST  AGE_CHAIN (ASTE#) ; 

AST_AGE  CHAIN(ASTE#)  ;=  0; 

END; 

/♦  ADD  THIS  PROCESS  TO  CONNECTED  PROCESS  LIST 

AST^CPL  (ASTE#)  (A ST_C PL  (A  STE  #)  | PS_PROCESS,MASK)  ; 

IF  MODE  = WRITE$READ$EXECUTE  ACCESS; 

THEN:  AST^iAL  (ASTE#)  ;=  (AST  HAL(ASTE#)  | PS  PROCESS  MASK); 

END;  “ - I. 

/*  AND  UPDATE  PS^SEG 

PS_SEG(0)  ;=  PS_SEG(SEG#)  ; 

PS_SEG(SEG#)  ;=“asTE#; 

RC  :=  SEG#; 

3.2.21  Search  Out  and  Destroy  Descriptors  (SOADD) 

The  Search  Out  and  Destroy  Descriptors  CPC,  SOADD,  is  a kernel 
level  internal  SKCPP  function  that  is  called  by  both  user  level 
external  functions  and  kernel  level  internal  functions.  SOADD  calls 
both  user  level  external  functions  and  kernel  level  internal  functions. 
It  is  written  in  Project  SUE  System  Language. 

3.2.27.1  Description 

SOADD  searches  out  and  destroys  descriptors  for  a segment  in 
processes  whose  access  rights  have  been  restricted.  It  checks  that 
the  segment  is  active  - if  it  is  not,  no  processes  are  connected  to 
it  at  all.  It  calls  HASH  to  find  the  aste#  associated  with  the 
segment’s  disk  address,  which  is  held  in  DIR_DISK (OFFSET) . This 
value  it  assigns  to  ASTE#.  Since  HASH  returns  a zero  if  the  segment 
is  active,  and  since  the  CPL  contains  I’s  in  the  bits  corresponding 
to  connected  processes,  if  ASTE#  and  AST_CPL(ASTE#)  are  both  non- 
zero, SOADD  must  proceed.  Otherwise,  no  processes  have  descriptors 
for  the  segment  and  the  call  is  ignored. 
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It  then  loops  through  all  processes,  PROCESS#  going  from 
PR0CESS#J1IN  to  PROCESS#_MAX.  If  PT_FLAGS  (PROCESS#)  logical  and 
PT_FLAGS_J1ASK  (FLAGS  and  LINK  entries  share  a byte)  equal  inactive, 
there  is  no  need  to  check  the  process.  If  it  is  not  INACTIVE, 

SOADD  must  ensure  that  it  is  not  connected  to  the  segment  without 
adequate  access  rights.  To  find  out,  it  needs  access  to  the  processes 
process  segment  (PS).  Hence,  LSD  is  called  to  load  the  descriptors 
of  the  process  segment,  identified  by  PT_PS_ASTE# (PROCESS#)  into 
the  kernel  register  2 at  PS_JCSR_ADR. 

SOADD  then  determines  whether  the  process  is  connected  to  the 
segment,  and  if  so,  in  what  mode  of  access.  If  AST_CPL(ASTE#) 
logical  and  PS_PROCESS_jyiASK,  which  contains  a single  1 in  the  bit 
corresponding  to  the  PROCESS#,  is  non- zero,  the  CPL  bit  for  the  process 
is  set.  If  it  isn’t,  SOADD  continues  looping  through  the  processes. 

If  ft  is,  SOADD  checks  if  the  process  is  also  on  the  segment’s  write 
access  list  - if  AST_JNAL(ASTE#)  logical  and  PS_PROCESS_MASK  are 
zero,  the  process  has  read  access  only,  and  MODE  is  set  to 
READ$EXECUTE_ACCESS . 

SOADD  then  calls  DSEARCH  which  searches  the  ACL  of  segment 
DASTE#,  OFFSET  to  see  if  access  MODE  is  still  permitted.  If  DSEARCH 
returns  OK_FLAG,  the  MODE  of  access  is  permitted;  if  DSEARCH  returns 
ERR__FLAG,  the  MODE  is  no  longer  permitted,  and  SOADD  destroys  the 
descriptor.  To  do  this,  it  must  find  the  seg#  of  the  segment:  it 
loops  through  all  the  seg#’s  from  SEG#_JMIN  to  SEG#_MAX  until  it  finds 
the  one  which  corresponds  to  the  segment,  the  one  for  which 
PS_SEG(SEG#)  equals  ASTE#.  SOADD  then  calls  DCONNECT  to  release  this 
segment  from  the  process’s  WS,and  continues  its  loop  through  the 
processes. 

After  it  has  checked  the  last  process,  PROCESS#_MAX,  the  kernel 
segmentation  register  2 must  be  restored  with  the  current  process’s 
process  segment.  SOADD  calls  LSD  to  load  the  descriptors  of 
PT_PS_ASTE#(THE_CURRENT_PROCESS)  into  the  register  at  PS_KSR_ADR 
and  then  returns. 

Function:  SOADD 

Parameters:  SOADD (daste#,  offset) 

Effect: 

Let  aste#  = HASH (DIRJDISK (daste# , offset)); 

IF  aste#  f 0; 

THEN: 

IF  (PROCESS#_MIN  <=  process#  <=  PROCESS#_MAX)  & 

PT_FLAGS  (process#)  7^  INACTIVE)  & 

AST^CPL  (aste# , process#) % 
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THEN: 

IF  AST_WAL (aste# , process#); 

THEN:  Let  mode  = WRITE; 

ELSE:  Let  mode  = READ; 

END; 

IF  not  DSEARCH (process#,  daste# 

’DIR_ACL_HEAD’ (aste#,  offset) , mode) ; 

THEN: 

IF  (SEG#_MIX  <1=  seg#  <=  SEG#_MAX)  & 

(’PS_SEG’ (process#,  seg#)  = aste#); 

THEN : DCONNECT (process# , aste# , seg#) ; 

END; 

END; 

END; 

END; 

3.2.27.2  N/A 

3.2.27.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By 

GIVE 

RESCIND 

DELETSEG 


Calls 

DCONNECT 

DSEARCH 

HASH 

LSD 


3.2.27.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  SOADD.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References 

PS_PROCESS_MASK 
PS  SEG 


Function  Parameters 

DASTE# 

OFFSET 


Local  References 

ASTE# 

PROCESS# 


119 


Global  References 


Function  Parameters 


Local  References 


PT__FLAGS 

AST__CPL 

AST_WAL 

DIRJDISK 

THE  CURRENT  PROCESS 


MODE 

REG# 

SEG# 


Constants 


ERR_FLAG 
INACTIVE 
PROCESS#_MAX 
PROCESS  #_MIN 
PS_KSR_ADR 
PT  FLAGS  MASK 


READ$EXECUTE_ACCESS 
SDR__WRITE_ACCES  S 
SEG#_MAX 
SEG#_MIN 

WRITE$READ$EXECUTE_ACCESS 


3.2.27.5  Limitations 


None. 


3.2.27.6  Listing 


DATA  SOADD  (DASTE#,  OFFSET); 


PROGRAM  SOADD; 

DECLARE 

WORD  (ASTE#,  PROCESS#,  MODE,  REG#,  SEG#,  DOHMT)  ; 

/♦  DETERMINE  IF  SEGMENT  TO  WHICH  ACCESS  HAS  BEEN  RESCINDED  IS  ACTIVE 

ASTE#  :=  HASH (DIR_DISK (OFFSET) ) ; 

IF  (ASTE#  0)  & (AST  CPL(ASTE#)  ^ 0): 

THEN: 

/*  LOOP  THROUGH  ALL  PROCESS'S 

DO  PROCESS#  :=  PROCESS#_niN  TO  PROCESS  #_nAX; 

IF  (PT_FLAGS(PROCESS#)  S PT  FLAGS  MASK)  -.=  INACTIVE; 

THEN:  LSD  (PT.PS.ASTE#  (PROCESS#)  7 PS_KSR_ADR,  SDR^HRITE.ACCESS)  ; 

/♦  IS  THIS  PROCESS  CONNECTED  TO  THE  SEGMENT? 

IF  (AST_CPL  (ASTE#)  S PS_PROCESS_MASK)  0; 

THEN;  /♦  YES  - DETERMINE  MODE  OF  ACCESS  ♦/ 

IF  (AST_H  AL  (ASTE#)  5 PS_PROCESS_MAS  K)  =*=0; 

THEN:  mode  :=  READSExicUTE  ACCESS; 

ELSE;  MODE  ;=  HRITESREADSEXECUTE  ACCESS; 

END; 
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/♦  DOES  PROCESS  STILL  HAVE  ACCESS  RIGHTS? 

IP  DSEABCH  (DASTE#,  OFFSET,  flODE)  = ERR  FLAG; 
THEN; 


DO  SEG#  :=  SEG#_HIN  TO  SEG#_WAX; 

IF  PS_SEG(SEG#)  = ASTE#; 

THEN:  DCONNECT  (SEG#,  ASTE#); 
....  EXIT; 

END; 


END; 

END; 


END; 


END; 


END; 

/♦  RESTORE  KSR2 

LSD(PT_PS_ASTE#(THE_CURRENT_PROCESS) , PS  KSR  ADR,  SDR  WRITE  ACCESS); 

END;  “ “ “ “ 

3.2.28  Directory  Search  (PSEARCH) 

The  Directory  Search  CPC,  DSEARCH,  is  a kernel  level  internal 
SKCPP  function  that  is  called  by  both  a kernel  level  internal  function 
and  user  level  external  functions.  DSEARCH  calls  only  kernel  level 
internal  functions.  It  is  written  in  Project  SUE  System  Language. 

3.2.28.1  Description 

DSEARCH  determines  whether  the  mode  of  access  is  permitted  for 
the  calling  process.  It  makes  sure  the  directory  aste#  supplied 
does  identify  a directory,  returning  the  ERR^FLAG  if  AST__TYPE(ASTE#) 
logical  and  AST_TYPE__MASK  (type,  class,  status,  change,  and  unlock 
entries  share  a byte)  does  not  equal  ASTjrYPE__DIRECTORY.  It  then 
gains  access  to  the  directory.  If  AST__ASR(ASTE#) , which  holds  the 
main  memory  address  of  the  segment,  equals  zero,  DSEARCH  must  call 
SWAPIN  to  swap  the  directory  into  main  memory.  It  calls  LSD  to  load 
the  direcrory’s  descriptors  in  kernel  segmentation  register  3 at 
DIR_KSR__ADR. 

It  then  searches  for  an  ACL  element  concerning  the  current 
process,  beginning  at  the  head  of  the  ACL,  with  INDEX  set  to 
DIR__ACL__HEAD (OFFSET) . It  commences  a cycle  to  find  the  appropriate 
ACL  element:  if  INDEX  equals  zero,  the  end  of  the  ACL  has  been 
reached  without  finding  an  element  which  gives  the  process  access; 
DSEARCH  returns  with  ERR_FLAG.  It  sets  USER  to  ACL_USER (INDEX) 
logical  and  ACL_USER__MASK  and  it  sets  PROJECT  to  ACL  PROJECT  (INDEX)  . 
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When  USER  equals  ALL_USERS  or  USER  equals  PS__USER__ID  and  PROJECT 
equals  ALL_PROJECTS  or  PROJECT  equals  PS_PROJECT_ID,  the  cycle  is 
exited;  otherwise,  INDEX  is  reset  to  ACL_CHAIN ( INDEX)  , the  next  ACL 
element  number  and  the  cycle  continued. 

It  now  uses  the  ACL  element  it  has  found  to  test  whether  the 
requested  MODE  is  permitted.  If  ACLMODE (INDEX)  logical  and 
ACL_MODE_MASK  (mode  and  user  share  a word)  equals  NO_ACCESS,  DSEARCH 
returns  with  ERR_FLAG.  Also,  if  requested  MODE  is 
WRITE$READ$EXECUTE_ACCESS  and  ACL_MODE (INDEX  logical  and 
ACL_MODE_MASK  is  not  WRITE$READ$EXECUTE_ACCESS , ERR_FLAG  is  returned. 
Otherwise,  DSEARCH  returns  with  RC  set  to  OK_FLAG. 

Function:  DSEARCH 

Parameters:  DSEARCH (process#,  aste#,  aule#,  mode) 

Value: 

IF  acle#  ^ 0; 

THEN: 

IF  ((ACL_USER(aste#,  acle#)  = ALL_USERS)I 

(ACL_USER(aste#,  acle#)  = PS_USER_ID (process#) ) & 
((ACL_PROJECT(aste#,  acle#)  = ALL_PROJECTS)  1 
(ACL_PROJECT(aste#,  acle#)  = PS_PROJECT_ID (process#) ) ; 
THEN: 

IF  ACL_MODE(aste#,  acle#)  = NO; 

THEN:  FALSE; 

ELSE: 

IF  (mode  = WRITE)  & 

(ACL_MODE(aste#,  acle#)  f WRITE); 

THEN:  FALSE; 

ESLE:  TRUE; 

END; 

END; 

ELSE:  DSEARCH (process#,  aste#,  ACL_CHAIN(aste#,  acle#), 
mode) ; 

END; 

ELSE : FALSE 
END; 

3.2.28.2  N/A 

3.2.28.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  inparagraph  3.4. 
Called  By  Calls 

GETW  SWAP IN 
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Called  By 


Calls 


GETR  LSD 

SOADD 

3,2,28.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references 
and  constants  used  by  the  function  DSEARCH,  For  Data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3,1,  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2, 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


AST  TYPE 

DASTE# 

RC 

AST_ADR 

OFFSET 

DIR  ACL  HEAD 
ACL_USER 

ACL  PROJECT 

ACL  CHAIN 

ACL  MODE 

PS_USER  ID 
PS_PROJECT  ID 

ASTE# 

Constants 

ACL_MODE  MASK 

DIR  KSR  ADR 

ACL_USER_MASK 

EFF_FLAG 

ALL_PROJECTS 

NO_ACCESS 

ALL_USERS 

OK  FLAG 

AST  TYPE  DIRECTORY 

SDR_WRITE_ACCESS 

AST_TYPE_MASK 

28.5  Limitations 

WRITE$READ$EXECUTE_ACCESS 

DSEARCH  returns  ERR_FLAG  if  the  as te//  supplied  does  not  identify 
a directory,  if  the  end  of  the  ACL  has  been  reached  without  finding 
an  element  that  gives  the  process  access,  or  if  the  access  mode 
is  not  permitted.  Otherwise,  RC  = OK_FLAG. 

3.2.28.6  Listing 


DATA  DSEARCH  (ASTE#,  OFFSET,  MODE)  RETURNS  (RC)  ; 
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i I 

i 

PBOGRAM  DS&ARCH; 

DECLARE 

WORD  (INDEX,  USER,  PROJECT); 

i 

IF  (AST_TYPE  (ASTE#)  6 AST_Ty PE_nASK)  AST_TyPE_DIRECTOE Y; 

THEN; 

.•••  RETURN  WITH  ERR_FLAG; 

END; 

/♦  GAIN  ACCESS  TO  DIRECTORY  */ 

IF  AST_ADR  (ASTE#)  = 0; 

THEN:  SWAPIN  (ASTE#)  ; 

END; 

LSD(ASTE#,  DIR_KSR_ADP,  S CR_W  RITE_ACCESS)  ; 

/♦  NO  NEED  TO  CHECK  A USE  BIT  - ACL  WILL  BE  EHPTY  IF  ENTRY  IS  NOT  IN  USE  */ 

/♦  SEARCH  ACL  FOR  ELEMENT  THAT  GIVES  CURRENT  USER  PERHISSION  TO  ACCESS  ♦/ 

INDEX  :=  DIP_ACL_HEAD(OFFSET) ; 

CYCLE 

IF  INDEX  = 0; 

THEN; 

...•  RETURN  WITH  ERR_FLAG; 

END; 

USER  :=  (ACL_USER  (INDEX)  £ ACL_USER_MASK)  ; 

PROJECT  :=  ACL_PROJECT  (INDEX)  ; 

EXIT  WHEN  ((USER  = ALL_USERS)  | (USER  = PS_USER_ID))  & ((PROJECT  - 
PS_PROJECT_ID)  I (PROJECT  = ALL_PROJECTS) ) ; 

INDEX  ;=  ACL_CHAIN  (INDEX)  ; 

END; 

IF  (ACL_nODE (INDEX)  5 ACL_HODE_HASK)  = NO_ACCESS; 

THEN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

IF  (NODE  = WRITE$READ$EX  ECUTE_ACCESS)  S ( (ACL^MODE  (INDEX)  6 ACL_nODE_fl ASK)  = 
WRITE$READ$EXECUTE_ACCESS)  ; 

THEN: 

....  RETURN  WITH  ERR_FLAG; 

END; 

RC  :=  OK_FLAG; 


3.2.29  Activate  Segment  (ACT) 

The  Activate  Segment  CPC,  ACT  is  a kernel  level  internal 
SKCPP  function  that  is  called  by  a user  level  external  functions. 
ACT  calls  only  kernel  level  Internal  functions.  It  is  written  in 
Project  SUE  System  Language. 
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3.2.29.1  Description 


ACT  activates  a segment,  copying  Its  directory  entry  Into  the 
ASTE  and  Initializing  the  other  fields  of  the  ASTE.  First,  It 
allocates  an  AST  entry.  It  checks  If  any  are  on  the  free  chain: 

If  AST_CHAIN(0)  Is  zero,  there  are  none.  In  this  event  It  deactivates 
the  ASTE  which  has  been  eligible  for  deactivation  longest.  It  sets 

I to  0.  It  then  repeatedly  assigns  NEXT  the  value  of  AST_AGE ^CHAIN(I) 

and  I the  value  of  NEXT  until  AST_AGE_CHAIN (NEXT)  equals  0,  marking 
the  end  of  the  age  chain.  NEXT  now  holds  the  aste//  of  the  entry 
which  was  on  the  AGE  chain  longest.  ACT  calls  DEACT  to  free  this 
entry.  Now  that  there  Is  at  least  one  aste//  on  the  free  chain, 

ASTE#  can  be  set  equal  to  AST_CHAIN(0) , the  aste#  of  the  first 
element  on  the  free  chain.  Assigning  AST_CHAIN(0)  the  value  of 
AST_CHAIN(ASTE#)  removes  the  entry  from  the  free  chain.  Since  the 
segment  Is  not  connected  to  any  process  at  activate  time.  It  Is 

marked  eligible  for  deactivation  by  letting  AST_AGE CHAIN (ASTE#) 

equal  AST_AGE_CHAIN(0)  and  AST_AGE_CHAIN (0)  equal  ASTE#. 

Act  then  updates  the  HASH  data  base.  It  calls  PREHASH  to 

calculate  the  hash  value  HASH  VAL  associated  with  DIR DISK (OFFSET) , 

the  disk  address  of  the  segment.  It  then  sets  AST_CHAIN (ASTE# ) to 
HASH_TABLE (HASH_VAL)  and  HASHJTABLE (HASH_VAL)  to  ASTE#.  This 
adds  the  entry  to  the  head  of  a chain  of  ASTE's  whose  entries 
disk  addresses  map  onto  the  same  hash  value. 

ACT  Is  now  ready  to  fill  In  the  ASTE  It  has  allocated.  Since 
the  segment  Is  not  yet  connected  to  any  processes  and  can*t  be 
swapped  In  yet,  the  main  memory  address,  AST_ADR(ASTE#) , the 

descriptor  count,  AST_DES ^COUNT(ASTE#) , and  the  CPL,  AST ^CPL(ASTE#) 

are  all  set  to  zero.  The  rest  of  the  entry  Is  copied  from  the 
directory  entry.  AST_CLASS (ASTE#)  Is  set  equal  to  DIR_CLASS (OFFSET) 
which  sets  the  type  and  status  as  well  as  the  classification. 

AST  CAT,  AST_DISK,  and  AST_SIZE  get  DIR_CAT , DIR_DISK  and  DIR_SIZE, 
repectlvely . 

Now,  If  the  directory  status  bit  was  set  to  uninitialized.  It 
must  be  reset.  If  DIR._STATUS (OFFSET)  logical  and  DIR_STATUS_MASK 
equals  DIR_UNINITIALIZED,  DIR_STATUS (OFFSET)  Is  reset  to  DIR_STATUS 
(OFFSET)  logical  and  DIR_STATUS_NOTMASK  (all  I's  except  for  the 
status  bit,  so  class  and  type  Information  Is  not  disturbed) . In 
this  case,  the  directory  has  been  changed,  so  AST_CHANGE(DASTE#) 
must  be  reset  to  AST_CHANGE (DASTE#)  logical  or  AST_CHANGED  to 
Insure  that  the  directory  will  be  copied  onto  disk  when  swapped 
out. 


125 


Finally,  ACT  initializes  the  segment's  semaphore.  SMFR_COUNT(ASTE#) 
is  set  to  1 and  SMF  POINTER (ASTE//) , the  head  of  a chain  of  processes 
blocked  on  the  semaphore,  is  set  to  0.  ACT  returns  the  ASTE# 
allocated  to  the  segment. 

Function:  ACTIVATE 

Parameters:  ACTIVATE (daste#,  offset) 

Effect: 

IF  'AST_CHAIN' (0)  = 0; 

THEN:  Let  aste#  = NEXTASTE(' AST_AGE_CHAIN' (0)) ; 

DEACTIVATE (as te#); 

ELSE:  Let  aste#  = ' AST_CHAIN' (aste#) ; 

AST_CHAIN(0)  = 'AST_CHAIN' (aste#); 

END: 

HASH(DIR_DISK(daste#,  offset))  = aste#; 

AST_ADR(aste#)  = 0; 

AST_LOCK(aste#)  = UNLOCK; 

AST_DES_COUNT(aste#)  = 0; 

IF  (PR0CESS#_MIX  «d=  process#  <=  PR0CESS#_MAX)  ; 

THEN:  AST_CPL(aste#,  process#)  = FALSE; 

AST_WAL(aste#,  proce_ss#)  = FALSE; 

END; 

AST_TYPE(aste#)  = DIR_TYPE (daste#,  offset); 

AST_STATUS(aste#)  = 'DIR_STATUS' (daste#,  offset); 

AST_CLASS(aste#)  = DIR_CLASS (daste#,  offset); 

AST_CAT(aste#)  = DIR_CAT (daste#,  offset); 

AST_DISK(aste#)  = DIR_DISK (daste#,  offset); 

AST_SIZE(aste#)  = DIR_SIZE (daste#,  offset); 

IF  'DIR_STATUS' (daste#,  offset)  = UNINITIALIZED; 

THEN:  DIR_STATUS  (daste#,  offset)  = INITIALIZF.n; 

END; 

AGE (aste#); 

3.2.29.2  N/A 

3.2.29.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By 


Calls 


DELETE 

CONNECT 


DEACT 

PREHASH 


3.2.29.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  ACT.  For  data  base  references 
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refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


AST_CHAIN 

AST_AGE_CHAIN 

AST_ADR 

ASTJ)ES_COUNT 

AST_CPL 

AST  CHANGE 


DASTE# 

OFFSET 


ASTE# 


HASH  VAL 


INDEX 

NEXT 

I 


RC 


AST_CLASS 

AST^CAT 

AST_DISK 

AST_SIZE 

DIR_CLASS 

DIR_CAT 

DIRJ)ISK 

DIR_SIZE 

DIR_STATUS 

HASH_TABLE 

SMFR_POINTER 

SMFR_COUNT 

Constants 

AST_CHANGE 

DIR_STATUS 

DIR_STATUS_MASK 

DIR_STATUS_NOTMASK 

DIR_UNINITIALIZED 

3.2.29.5  Limitations 

3.2.29.6  Listing 


DATA  ACT(DASTE#,  OFFSET)  PFTOPNS  (PC); 
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■># 


PROGRAM  ACT; 

DECLARE 

WORD  ( ASTE#,  I,  NEXT,  HASH^VAL) ; 

/♦  ALLOCATE  AN  ASTE  ENTRY 

/♦  HEAD  OF  FREE  ASTE  CHAIN  IS  IN  ASTE  0 

IF  AST_CHAIN(0)  = 0; 

THEN; 

/♦  NO  FREE  ASTF#*S  - LOOK  ON  AGE  CHAIN 


I :=  0; 


CYCLE 

NEXT  ;=  AST_AGE_CHAIN (I) ; 

....  EXIT  HHFN  AST_AGE_CHAIN  (NEXT)  = 0; 
I NEXT; 

END; 


DEACT  (NEXT)  ; 

END ; 

/♦  A FREE  ASTE#  EXISTS 
ASTE#  AST_CHAIN  (0)  ; 

/♦  REMOVE  THIS  ASTE  FROM  THE  FREE  CHAIN 

AST_CHAIN  (0)  ;=  AST_CHAIN  (ASTE#)  ; 

AST_AGE_CHAIN (ASTE#r  1=  AST  AGE  CHAIN  (0); 
AST^AGE^CHAIN  (0)  ;=  ASTE#; 

/♦  UPDATE  HASH  DATA  BASE 

HASH_VAL  :=  PREHASH(DIR_DISK (OFFSET)  ) ; 
AST_CHAIN  (ASTE#)  :=  HASH  TABLE(HASH  VAL)  ; 
HASH_TABLE (HASH^VAL)  :=  ASTE#; 

/♦  CLEAN  UP  AST  ENTRY 

AST_ADR  (ASTE#)  : = 0; 

AST_DES_CODNT  (ASTE#)  ;=  0; 

AST_CPl7aSTE#)  :=  O; 

/♦  FILL  IN  AST  ENTRY 


♦/ 


AND  AGE  ♦/ 


♦/ 


♦/ 


♦/ 


AST_CLASS (ASTF#)  :=  DIR_CLASS (OFFSET) ; /♦  SETS  TYPE,  STATUS  ♦/ 

AST_CAT  (ASTE#)  :=  DIR_CAT  (OFFSET)  ; 

AST_DISK  (ASTE#)  :=  Dli_DI  SK  (OFF  SET)  ; 

AST_SIZE(  ASTE#)  DIR^SIZE  (OFFSET)  ; 

IF  (DIR_STATOS(OFFSFT)  S DIR_STAT0S_MASK)  = DIR_0  MIIIITI ALIZED ; 

THEN:  DIR_STATOS  (OFFSET)  :=  ( DIR_STATOS  (0  FFSET)  S DIR_STATUS  NOTHASK)  ; 


/♦  DIRECTORY  HAS  BEEN  WRITTEN  INTO  - MUST  SET  CHANGE  BIT 
AST^CHANGE  (DASTE#)  :=  ( AST_CHANGE  ( DASTE#)  | AST_CHANGED)  r 

END; 

/♦  INITIALIZE  SEMAPHORE  ASSOCIATED  WITH  SEGMENT 

SMFR^COUNT  (ASTE#)  :=  1; 

SMFR^POINTER  (ASTE#)  :=  0; 

RC  ;=  ASTE#; 


♦/ 


♦/ 


! 


I 
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3.2.30  Deactivate  Segment  (DEACT) 


The  Deactivate  Segment  CPC,  DEACT,  Is  a kernel  level  Internal 
SKCPP  function  that  Is  only  called  by  other  kernel  level  Internal 
functions.  DEACT  calls  only  kernel  level  Internal  functions.  It 
Is  written  In  Project  SUE  System  Language. 

3.2.30.1  Description 

DEACT  removes  a specified  segment  from  the  age  chain  and  frees 
Its  active  segment  table  entry.  First,  It  runs  through  the  age 
chain  to  find  entry  ASTE#.  Starting  with  INDEX  equal  to  zero.  It 
repeatedly  resets  NEXT  to  AST_AGE_CHAIN( INDEX)  and  INDEX  to  NEXT 
until  NEXT  equals  ASTE#.  It  links  INDEX,  the  aste  just  before  the 
specified  ASTE  to  the  entry  after  the  specified  ASTE  by  setting 
AST_AGE_CHAIN (INDEX)  to  AST_AGE_CHAIN(ASTE#) . Setting 
AST_AGE_CHAIN (ASTE#)  to  zero  marks  It  unaged. 

Next,  since  an  uninitialized  segment  cannot  be  deactivated. 

If  AST_STATUS (ASTE#)  logical  and  AST_STATUS_MASK  equals 
AST_UNITIALIZED,  DEACT  calls  SWAPIN.  SWAPIN  places  the  segment 
In  main  memory  and  also  causes  It  to  be  Initialized.  Then,  If 
AST_ASR(ASTE#) , which  holds  the  segment's  main  memory  address.  Is 
non-zero,  SWAPOUT  Is  called  to  remove  the  segment  from  main  memory. 

DEACT  then  removes  the  ASTE  from  the  hash  data  base.  It  calls 
PREHASH  which  finds  the  HASH_VALue  associated  with  the  segment's 
disk  address  AST_DISK(ASTE#) . If  HASHJTABLE CHASH_VAL) , the  head  of 
the  chain  of  aste's  with  hash  values  of  HASH_VAL,  equals  ASTE#, 

ASTE  can  be  removed  from  the  hash  data  base  simply  by  resetting 
HASH_TABLE(HASH_VAL)  to  AST_CHAIN (ASTE#) . Otherwise,  DEACT  must 
run  through  the  chain  until  It  finds  ASTE.  It  starts  by  setting 
HASH_VAL  to  AST_CHAIN(ASTE#)  and  repeatedly  setting  NEXT  to 
AST_CHAIN(HASH_VAL)  and  HASH_VAL  to  NEXT  until  NEXT  equals  ASTE#. 

Now,  ASTE  can  be  removed  from  the  HASH  chain  by  letting 
AST_CHAIN(HASH_VAL)  equal  AST_CHAIN(ASTE#) . 

Finally,  DEACT  places  ASTE#  at  the  head  of  the  free  chain.  It 
links  It  to  the  first  aste  on  the  chain  by  setting  AST_CHAIN(ASTE#) 
to  AST_CHAIN(0)  and  resetting  the  head  of  the  chain,  AST_CHAIN(0)  to 
ASTE#.  DEACT  Is  then  exited. 
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Function:  DEACTIVATE 
Parameters:  DEACTIVATE (as te#) 

Effect: 

UNAGE  ( * AST__AGE_CHAIN  * ( 0)  , as  te#  ) ; 

IF  *AST_STATUS' (aste#)  = UNINITIALIZED; 
THEN:  SWAPIN(aste#) ; 

SWAPOUT(aste#); 

ELSE: 

IF  'AST_ADR* (ASTE#)  i 0; 

THEN:  SWAPOUT(aste#); 

END; 

END; 

HASH (AST_DISK (aste#))  = 0; 

AST_CHAIN(aste#)  = 'AST_CHAIN' (0) ; 
AST_CHAIN(0)  = aste#; 

Function:  AGE 
Parameters:  AGE (aste#) 

Effect: 

AST_AGE_CHAIN(aste#,  = *AST_AGE_CHAIN* (0) ; 
AST_AGE_CHAIN(0)  = aste#; 

AST_AGE(aste#)  = AGED; 


Function:  UNAGE 

Parameters:  UNAGE(vaste#)  “ aste#) 

Effect: 

IF  *AST_AGE_CHAIN' (vaste#)  = aste#; 

THEN:  AST_AGE_CHAIN (vaste#)  = AST_AGE_CHAIN(aste#) 
AST_AGE(aste#)  = UNAGED; 

ELSE:  UNAGE ('AST_AGE_CHAIN' (vaste#,  aste#); 

END; 

Func.tion : NEXTASTE 
Parameters:  NEXTASTE (aste#) 

Effect: 

IF  AST_AGE_CHAIN(aste#)  = 0; 

THEN;  aste#; 

ELSE ; NEXTASTE (AST_AGE_CHAIN (as  te#) ) ; 

END; 

3.2.30.2  N/A 
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3.2.30.3  Interfaces 


Refer  to  Figure  6,  Function 

Called  By 

DELETSEG 

ACT 


Call  Matrix,  in  paragraph  3.4 

Calls 

SWAP IN 

SWAPOUT 

PREHASH 


3.2.30.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DEACT.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References 

AST_CHAIN 
AST_AGE_CHAIN 
AST_STATUS 
AST_ADR 
HASH  TABLE 


Function  Parameters 

ASTE# 


Local  References 

HASH_VAL 

INDEX 

NEXT 


Constants 


AST_STATUS_MASK 

AST_UNINITIALIZED 

3.2.30.5  Limitations 


None 

3.2.30.6  Listing 


DATA  DSACT  (AS?E#)  ; 


PROGRAM  DEACT; 

DECLARE 

HORD  (HASH_VAL,  INDEX,  NEXT); 
/»  REMOVE  FROM  AGE  CHAIN 
INDEX  ;=  0; 


♦/ 


131 


CYCLE 

NEXT  :=  AST_AGE_CRAIN  (INDEX)  ; 

EXIT  WHEN  NEXT  = ASTE#; 

INDEX  :=  NEXT; 

END; 

AST_AGE_CHAIN  (INDEX)  ;=  A ST_AGE_CH AI N ( ASTEt)  ; 

AST_AG|:”CHAIN  (ASTE#)  :=  0; 

/♦  CAN  NOT  DEACTIVATE  AN  UNINITIALIZED  SEGNENT 

IF  ( AST_STATUS ( ASTE#)  E AST_ST ATU S^N ASK ) = AST_DN IN ITIA LIZED ; 

TREN:“SWAPIN(ASTE#) ; 

END; 

/*  SWAPOUT  IE  IN  RAIN  REMORY 

IF  AST^ADR  (ASTE#)  -»=  0; 

TREnT  SWAPOUT (ASTE#) ; 

END; 

/♦  REROVE  THIS  ASTE  FROR  HASH  TABLE  OR  HASH  CHAIN 

HASH^VAL  :=  PREHAS H ( AST^DISK ( ASTE#) ) ; 

IF  HASH_TABLE  (HASH^V  AL)  = ASTE#; 

THEN:  HASH_TABLE(flASH_VAL)  ;=  AST^CHA  IN  ( A ST  F#)  ; 

ELSE:  HASH^VAL  :=  HA SH^TABLE ( HASH^V AL)  ; 

CYCLE 

NEXT  :=  AST_CHAIN  (HASH^VAL)  ; 

•••.  EXIT  WHEN  NEXT  = ASTE#; 

HASH^VAL  :=  NEXT; 

END; 

AST_CHAIN (HASH_V AL)  :=  AST^CHAIN  ( ASTE# ) ; 

END; 

/♦  ADD  THIS  AST  ENTRY  TO  THE  FREE  CHAIN 

AST.CHAIN (ASTE#)  :=  AST_C H AIN  (0) ; 
ast“chain(0)  :=  ASTE#; 


3-2,31  Swap  Segment  In  (SWAPIN) 

The  Swap  Segment  in  CPC,  SWAPIN,  is  a kernel  level  internal 
SKCPP  function  that  is  called  by  both  user  level  external  and  kernel 
level  internal  functions.  SWAPIN  calls  only  kernel  level  internal 
functions.  It  is  written  in  Project  SUE  System  Language. 

3.2.31.1  Description 


SWAPIN  swaps  a specified  active  segment  into  main  memory.  First 
it  allocates  a free  block  of  space  for  the  segment.  It  assigns 
BLOCK#  the  value  of  MBT__CHAIN(0)  logical  and  MBT_CHAINJ1ASK  (the 
flags,  chain,  and  aste  entries  all  share  a word  on  the  MBT) . If 
BLOCK#  equals  END__BL0CK#,  there  are  no  more  blocks  on  the  free  chain 
so  a segment  must  be  swapped  out.  SWAPIN  finds  the  segment  which 
has  been  eligible  for  swapping  out  longest  by  running  through  to 


the  end  of  the  swap  chain.  It  sets  I equal  to  zero.  Then,  it 
repeatedly  resets  NEXT  to  the  next  element  in  the  chain,  AST_ 
SWAP_CHAIN(I)  and  I to  NEXT  until  AST_SWAP_CHAIN (NEXT)  is  zero. 

Having  found  the  end  of  the  swap  chain,  it  corrects  BLOCK#  to 
AST_ADR(NEXT) , the  main  memory  address  of  the  segment  it  will  get 
rid  of,  and  calls  SWAPOUT  to  remove  NEXT  from  main  memory.  There 
is  now  at  least  one  block  on  the  free  chain.  Assigning  MBT_CHAIN(0) 
the  value  of  MBT_CHAIN(ASTE#)  removes  BLOCK#  from  the  head  of  the 
chain  and  setting  MBT_FLAGE (BLOCK#)  to  ALLOCATED  marks  the  block 
allocated. 

If  the  segment  is  uninitialized,  SWAPIN  initializes  it  rather 
than  performing  disk  I/O.  If  AST_STATUS (ASTE#)  logical  and 
AST_STATUS_MASK  (status  shares  a byte  with  four  other  AST  entries) 
equal  AST_UNINITLIZED , INITSEG  is  called  to  reset  the  segment 
to  all  zeros  and  remove  all  ACL  elements  if  the  segment  is  a directory. 
Otherwise,  DISKIO  is  called  to  read  the  segment  from  the  disk.  A 
P is  performed  in  the  DISK_SMFR  which  stalls  the  process  until  the 
disk  operation  is  complete  and  a V is  performed  on  the  disk  semaphore. 

SWAPIN  then  updates  the  data  base.  AST_ADR(ASTE#)  is  assigned 
BLOCK#,  the  main  memory  address  of  the  segment,  and  MBT_ASTE (BLOCK#) 
gets  ASTE#  logical  or  ALLOCATED.  Then,  since  no  descriptors  for 
the  segment  exist  yet,  SWAPIN  marks  the  segment  eligible  for 
swapping  out.  It  adds  it  to  the  head  of  the  swap  chain  by  letting 
AST_SWAP_CHAIN(ASTE#)  equal  AST_SWAP_CHAIN (0)  and  by  letting 
AST_SWAP_CHAIN(0)  equal  ASTE#.  Resetting  AST_UNLOCK(ASTE#)  to 
AST_UNLOCK(ASTE#)  logical  or  AST_UNLOCK_FLAG  shows  that  no 
descriptors  exist  for  the  segment  and  completes  the  operation. 

Function:  SWAPIN 

Parameters:  SWAPIN (as te#) 

Effect : 

Let  size  = AST_SIZE(aste#) ; 

Let  block#  = FINDFREE ('MBT_CHAIN' (0) , size); 

ALLOCBLOCK(’MBT_CHAIN’ (0) , block#) ; 

IF  ’AST_STATUS’ (aste#)  = UNINITIALIZED; 

THEN:  INITSEG ''aste#,  block#); 

AST_STATUS(aste#)  = INITIALIZED: 

AST_CHANGE (block#)  = CHANGED; 

ELSE:  DISKIO(aste#,  block#,  DISK_READ) ; 

AST_CHANGE (block#)  = UNCHANGED; 

P (DISK_SEMAPHORE) ; 

END; 

AST_ADR(aste#)  = block#: 

MBT_ASTE (block#)  = aste#; 
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UNLOCK (aste#); 

Function:  FINDFREE 

Parameters:  FINDFREE (block#,  size) 

value : 

IF  block#  = END_BLOCK#; 

THEN:  RESTART; 

ELSE: 

IF  MBT_SIZE (block#)  = size; 

THEN:  block#; 

ELSE:  FINDFREE (MBT_CHAIN (block#,  size); 

END; 

END; 

Function:  ALLOCMEM 

Parameters:  ALLOCMEM (vb lock#,  block#) 

Effect: 

IF  'MBT_CHAIN' (vblock#)  = block#; 

THEN:  MBT_CHAIN (vblock#)  = MBT_CHAIN (block#) ; 

MBT_FLAGE (block#)  = ALLOCATED; 

ELSE:  ALLOCMEM ('MBT_CHAIN' (vblock#) , block#); 

END; 

3.2.31.2  N/A 

3.2.31.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By 

Calls 

DEACT 

INITSEG 

GETDIR 

SWAPOUT 

READIR 

P 

WRITEDIR 

DISKIO 

DSEARCH 

ENABLE 

3.2.31.4  Data  Base  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  SWAPIN.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 
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Data  Base  References 


Global  References  Function  Parameters  Local  References 


BLOCK# 

NEXT 

I 


Constants 

ALLOCATED 

AST_STATUS_MASK 

ASTJJNINITIALIZED 

AST_UNLOCK_FLAG 

DISK_READ 

DISK_SMFR 

END_BLOCK# 

MBT_CHAIN_MASK 

3.2.31.5  Limitations 


AST_SWAP_CHAIN  ASTE# 

AST_ADR 

AST_STATUS 

AST_UNLOCK 

MBT_CHAIN 

MBT_FLAG 

MBT  ASTE 


None 


3.2.31.6  Listing 


DI^TA  SWAPIN(  ASTF#)  ; 

DECLARE 

PfiOCEDUP’=’  ACCEPTS  (WORD,  WORD)  (INITSEG)  ; 


PROGRAM  SWAPIN; 
declare 

WORD  (BLOCK#,  I,  NEXT); 

/*  LOOK  FOR  A FREE  BLOCK 

BLOCK#  :=  (MBT_CH  AIN  (0)  & MBT_CHAIN_M  ASK)  ; 

IF  BLOCK#  = FND_BLnCK#; 

/♦  NO  FREE  BLOCKS  - LOOK  AT  SWAP  CHAIN  FOR  SOMETHING  TO  SWAPOUT 

THEN:  I :=  0; 

CYCLF 

NEXT  :=  AST_SW AP_CHAIN  ( I)  ; 

....  EXIT  WHEN  A ST_S WAP_CH AI N ( NEXT)  = 0; 

I :=  NEXT; 

END; 
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BLOCK#  :=  AST_ADR(NEXT) ; 

SWAPOUT  (NEXT)  ; 

END; 

/*  RPMOVE  BLOCK  FROM  FREE  CHAIN  ♦/ 

MBT_CH.MN  (0)  :=  MBT_CHA I N (BLOC K #)  ; 

MBT_FLAGS  (BLOCK#)  ;=  ALLOCATED; 

/♦  IF  SEGMENT  IS  UNINITIALIZED  DO  NOT  PERFORM  DISK  I/O  »/ 

IF  (AS'T’_STA  TUS  (ASTR  #)  S A ST_ST  ATII  S_M  A SK ) = AS  T_UN  IN  IT  I A LI  ZED ; 

THEN:  INITSEG (A STF# , BLOCK#); 

ELSF: 

/*  START  DISK  I/O  AND  WAIT  FOP  COMPL5TEION  ♦/ 

DISKIO  (AST_DISK  (ASTE#)  , BLOCK#,  A ST_S  I ZE  (AST  E # ) , DISK_READ)  ; 

P (DISK_SMFR)  ; 

END; 

/♦  UPDATE  AST  ♦/ 

AST_ADR  (ASTF#)  :=  BLOCK#; 

MBT_ASTE (BLOCK#)  :=  (ASTE#  1 ALLOCATED); 

/♦  PUT  SEGMENT  ON  SWAP  CHAIN  ♦/ 

AST_SWAP_CHAIN  (ASTE#)  AST_SWAP_CHAIN  (0)  ; 

AST_SWAP_CHAIN (0)  ;=ASTE#; 

AST_UNLOCK  (ASTE#)  :=  ( AST_UNLOCK  ( AST E# ) | A ST^UNLOC K_FL AG ) ; 

3.2.32  Swap  Segment  Out  (SWAPOUT) 

The  Swap  Segment  Out  CPC,  SWAPOUT,  is  a kernel  level  internal 
SKCPP  function  that  is  only  called  by  other  kernel  level  internal 
functions.  SWAPOUT  calls  only  kernel  level  internal  functions.  It 
is  written  in  Project  SUE  System  Language. 


3.2.32.1  Description 


SWAPOUT  removes  a specified  segment  from  main  memory.  It 
sets  BLOCK#  to  AST_ADR(ASTE#) , which  holds  the  main  memory  address 
of  the  segment,  and  AST_ADR_(ASTE#)  to  zero  to  show  that  the 
segment  is  swapped  out. 

Then,  SWAPOUT  marks  the  segment  ineligible  for  swapping  out. 

It  goes  through  the  swap  chain  to  find  the  segment  identified  by 
ASTE#.  Starting  with  I equal  to  0 and  resetting  NEXT  to 
AST_SWAP_CHAIN (INDEX)  and  INDEX  to  NEXT  until  NEXT  equals  ASTE#. 
INDEX  now  holds  the  aste#  of  the  segment  before  the  one  designated 
to  be  swapped  out.  SWAPOUT  removes  ASTE#  from  the  swap  chain  by 
setting  AST_SWAP_CHAIN  (INDEX)  to  AST_SWAP_CHAIN(ASTE#)  and 
AST_SWAP_CHAIN(ASTE#)  to  zero.  It  then  resets  the  unlocked  bit  to 
locked  by  letting  AST_UNLOCK(ASTE#)  equal  AST_UNLOCK(ASTE#)  logical 
and  ASTJ.OCKJMASK  (all  I’s  except  for  a 0 in  the  UNLOCK  bit). 
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If  the  segment  has  been  changed  while  in  main  memory,  it 
should  be  copied  onto  disk;  otherwise  SWAPOUT  doesn't  bother.  If 
AST_CHANGE(ASTE#)  logical  and  AST_CHANGE_MASK  equals  AST_CHANGED, 

DISKIO  Is  called  to  Initiate  a disk  write  operation.  While  the 
operation  is  performed,  SWAPOUT  resets  the  change  bit  to  AST_CHANGE 
(ASTE#)  logical  and  AST_UNCHANGED_MASK.  To  avoid  getting  ahead  of 
the  disk,  it  performs  a P on  the  DISK_SMFR,  stalling  the  process 
until  the  disk  write  Is  completed. 

SWAPOUT  then  frees  the  memory  allocated  to  the  segment,  putting 
the  block  on  the  free  chain  In  ascending  order  of  block#' s.  Starting 
with  INDEX  equal  to  0,  it  runs  through  the  chain  until  the  next  block#, 
MBT_CHAIN (INDEX)  logical  and  MBT_CHAIN_MASK , is  greater  than  BLOCK#, 

repeatedly  resetting  INDEX  to  MBT ^CHAIN (INDEX)  and  MBT_CHAIN_MASK. 

INDEX  now  contains  the  block  after  which  BLOCK#  should  be  Inserted. 
Setting  MBT_CHAIN (BLOCK#)  equal  to  MBT_CHAIN (INDEX)  and  MBT_CHAIN 
(INDEX)  to  BLOCK#  logical  or  FREE_MEM  places  BLOCK#  in  the  proper 
position  on  the  free  chain.  SWAPOUT  is  then  exited. 

Function:  SWAPOUT 

Parameters:  SWAPOUT (as te#) 

Effect : 

Let  block#  = 'AST_ADR'  (aste#) ; 

LOCK(aste#) ; 

AST_ADR(aste#)  = 0; 

IF  AST_CHANGE (block#)  = CHANGED; 

THEN:  DISKIO(aste#,  block#,  DISK_WRITE) ; 

P (DISK_SEMAPHORE) ; 

END; 

FREEMEN ('MBT_CHAIN' (0) , block#) ; 

Function:  FREEMEN 

Parameters:  FREEMEN (vb lock#,  block#) 

Effect: 

IF  'MBT_CHAIN (block#) > block# ; 

THEN:  MBT_CHAIN (block#)  = 'MBT_CHAIN' (vblock#) ; 
MBT_CHAIN(vblock#)  = block#; 

MBT_FLAGS (block#)  = FREE; 

MBT_ASTE (block#)  = 0; 

ELSE:  FREEMEM('MBT_CHAIN' (vblock#) , block#); 

END; 

3.2.32.2  N/A 

3.2.32.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
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Called  By 


Calls 


DEACT 
SWAP IN 


P 

DISKIO 


3.2.32.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  SWAPOUT.  For  data  base  references 
refer  to  Figure  5 , Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


AST_ADR 
AST_SWAP_CHAIN 
AST  UNLOCK 


ASTE# 


BLOCK# 

INDEX 

NEXT 


AST_CHANGE 

MBT_CHAIN 

Constants 

ALLOCATED 

AST_CHANGE 

AST_CHANGE_MASK 

AST_LOCK_MASK 

AST_UNCHANGED_MASK 

DISK_SMFR 

DISK_WRITE 

FREE_MEM 

MBT_CHANGE_MASK 

3.2.32.5  Limitations 
None 

3.2.32.6  Listing 

DATA  SWAPOUT  (ASTF#)  ; 


138 


PROGRAM  SWAPOUT;  | -|6 

DECLARE  I 16 

WORD  . (BLOCK#,  INDEX,  NEXT)*;  |16 

BLOCK#  :=  AST  ADR(ASTE#);  1 40 

AST_ADR  (ASTE#y  ;=  0;  |64 

I 

/♦  REMOVE  FROM  SWAP  CHAIN  */\6H 

I 

INDEX  :=  0;  |72 

I 

CYCLE  1 72 

NEXT  :=  AST_SWAP_CHAIN (INDEX)  ; |114 

EXIT  WHEN  NEXT  = ASTE#;  |136 

INDEX  :=  NEXT;  |144 

END;  1146 

I 

AST_SWAP_CHAIN (INDEX)  :=  AST_SWAP  CHAIN (ASTE#) ; |210 

AST_SWAP_CHAIN (ASTS#)  :=  0;  “ ” |234 

AST_UNLOCK  (ASTE#)  :=  (AST_UNLOCK  (ASTE#)  6 AST_LOCK_MASK) ; |304 

I 

/♦  ONLY  PERFORM  DISK  WRITE  IF  SEGMENT  HAS  CHANGED  ♦/! 304 

I 

IF  (AST_CHANGE(  ASTE#)  & AST_CHANGE_H  ASK)  = AST_CHANGED;  | 346 

THEN:  DISKIO(AST_DISK  (ASTE#)  , BLOCK#,  A ST_S  IZE  (A  STS  #)  , DISK_WKITE);  |442 

I 

/*  DO  BOOKKEEPING  AND  WAIT  FOR  I/O  TO  COMPLETE  */(442 

AST_CHANGE  (ASTE#)  :=  AST  CHANGE  (ASTE#)  & AST_U NCHA  NGEn_M ASK ; |512 

P(DISK_SMFR)  ; ” (542 

END;  1542 

I 

/♦-  FREE  MEMORY  ALLOCATED  TO  SEGMENT  ♦/|542 

I 

INDEX  :=  0;  I 550 

I 

CYCLE  1550 

EXIT  WHEN  (MBT_CHAIN  (INDEX)  6 MBT_CHAIN_MASK)  > BLOCK#;  |616 

INDEX  :=  (MBT_CHAIN (INDEX)  6 M BT_CHA IN_M A SK) ; (652 

END;  ■ ■ ■ 1654 

/♦  PLACE  BLOCK  TO  BE  FREED  IN  THE  CHAIN  V|654 

I 

MBT_CHA  IN  (BLOCK#)  :=  MBT_CHAIN  (INDEX)  ; |716 

MBT_CHAIN  (INDEX)  :=  (BLOCK#  | FREE_MEM);  |750 

3-2.33  Initialize  Segment  (INITSEG) 

The  Initialize  Segment  CPC,  INITSEG,  is  a kernel  level  Internal 
SKCPP  function  that  is  called  by  another  kernel  level  Internal 
function.  INITSEG  calls  only  one  other  kernel  level  internal 

function.  It  is  written  in  Project  SUE  System  Language. 

3.2.33.1  Description 

INITSEG  initializes  a directory  or  data  segment.  It  sets 
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AST_ADR(ASTE#) , the  segment’s  main  memory  address,  to  the  BLOCK# 
supplied  as  a parameter.  It  then  calls  LSD  to  load  the  descriptors 
of  the  segment  identified  by  ASTE#  in  the  kernel  register  at 
DIR_KSR_ADR.  This  provides  access  to  the  segment. 

INITSEG  then  performs  the  actual  initialization.  As  I goes 
from  0 to  511,  it  sets  ZERO_ARRAY (I)  to  0.  Thus,  assuming  all 
segments  are  SIZE2,  IK  bytes,  if  the  segment  is  a directory,  all 
entires  are  marked  free,  and  if  it  is  a data  segment,  it  is  set  to 
all  zeros.  Next,  INITSEG  tests  if  AST_TYPE (ASTE#)  logical  and 
AST_TYPE_MASK  (type  shares  a byte  with  four  other  attributes) 
equal.  AST_TYPE_DIRECTORY.  If  so,  the  segment  is  a directory  and 
it  must  place  all  ACL  elements  on  the  free  chain.  Letting 
ACL_CHAIN(I)  equal  I + 1 as  I goes  from  0 to  ACL_MAX  links  all 
elements  from  ACL_MIN  = 1 to  ACL_MAX  to  the  free  chain  head, 
ACL_CHAIN(0) . INITSEG  then  sets  ACL_CHAIN (ACL_MAX)  to  0 to  mark  the 
end  of  the  free  chain. 

To  complete  the  operation,  INITSEG  updates  the  AST.  AST_STATUS 
is  set  to  AST_STATUS_NOTMASK.  This  resets  the  status  bit  to  0, 
meaning  initialized.  The  change  bit  is  set  by  assigning  to 
ACT_CHANGE  the  value  of  AST_CHANGE  logical  or  AST_CHANGED,  so  that 
the  segment  will  be  copied  to  the  disk  when  it  is  swapped  out. 
INITSEG  then  returns. 

Function:  INITSEG 

Parameters : INITSEG (as  te# , block#) 

Effect : 

IF  AST_TYPE(aste#)  = DIRECTORY; 

THEN: 

IF  (OFFSET_MIN  <=  i <=  OFFSET_MAX; 

THEN:  DIR_SIZE(i)  = 0; 

END; 

IF  (ACL#_MIN  j <=  ACLE#_MAX; 

THEN:  ACL_CHAIN(j)  = (j+1)  MODULO  ACLE#_MAX; 

END; 

ELSE:  segment_con tents  = 0; 

END; 

3.2.33.2  N/A 

3.2.33.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
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Called  By 


Calls 


SWAPIN  LSD 

3.2.33.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  INITSEG.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 

AST_ADR  ASTE#  I 

AST_TYPE  BLOCK# 

AST_STATUS 

AST_CHANGE 

ACL_CHAIN 

Constants 

ACL_MAX 

AST_CHANGE 

AST_STATUS_NOTMASK 

AST_TYP E_D  IRECTORY 

AST_TYPE_MASK 

DIR_KSR_ADR 

SDR_WRITE_ACCES  S 

3.2.33.5  Limitations 


None 

3.2.33.6  Listing 

DATA  INITSEG  (ASTE#,  FLOCK#); 


PHOGRAM  INITSEG; 

DECLARE 

WORD  (I)  ; 

AST_ADR  (ASTE#)  ;=  BLOCK#; 

/•  GAIN  ACCESS  TO  SEGMENT 


*/ 
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LSD(ASTE#,  niR^KSR^ADR,  S DR_H  RITE_  ACCESS)  ; 

/♦  THIS  ASSTJHES  ALL  SEGS  ARE  IK  BYTES  - HILL  CHANGE  LATER  ♦/ 

DO  I :=  0 TO  511; 

ZERO_ARRAY  (I)  :=  0; 

END; 

IF  (AST_TYPE  (ASTE#)  & A ST_TYPE_HAS  K)  = AST_TY  PE^DIRECTOHY; 

THEN: 

/♦  PUT  ALL  ACL  BLEflENTS  ON  FREE  CHAIN 

DO  I :=  0 TO  ACL_MAX; 

ACL_CHAIN  (I)  :=  I ♦ 1; 

END ; 

ACL_CHAIN(ACL_MAX)  :=  0; 

END; 

/♦  UPDATE  AST 

AST_STATUS  ( ASTE#)  ;=  (AST  ST ATUS ( ASTE#)  & AST_STATUS_NOTflASK)  ; 

AST_CHANGE  (ASTE#)  :=  ( AST^CHANGE ( ASTE#)  | A ST_CHANGED)  ; 

3.2,34  Prehash  (PREHASH) 

The  Prehash  CPC,  PREHASH,  is  a kernel  level  internal  SKCPP  function 
that  is  directly  called  by  other  kernel  level  internal  functions. 

It  is  written  in  Project  SUE  System  Language,  including  the  use 
of  the  Inline  feature. 

3,2,34.1  Description 

PREHASH  converts  the  disk  address  of  a segment  input  to  it  into 
an  index  into  HASH__TABLE.  It  hash  codes  the  16-bit  disk  address  into 
an  8-bit  index  equal  to  the  exclusive  or  of  the  high  order  8-bits 
with  the  low  order  8-bits  of  the  address - 

Function:  PREHASH 

Possible  values:  HASH^VAL  or  0 

Initial  value:  0 

Parameters : PREHASH  (disk__address) 
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3.2.34.2 


Flow  Chart 
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3.2*34.3  Interfaces 


Called  By  Calls 

ACT  None 

DEACT 

3.2.34.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  PREHASH.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


None 


DISK  ADR 


HASH  VAL 


Constants 


ASHRl 

MOV 

SEG_FLAG 

XORIO 


3.2.34.5  Limitations 
None 

3.2.34.6  Listing 

DATA  PREHASH  (DISK_Ar»B)  HETflRNS  (MASH_VAL)  ; 


PBOGRAH  PBEHASH; 

INLINE(MOV,  DISK_ADB,  0,  0); 
INLINE(MOV,  0,  0,  0,  1)  ; 

INLINE  (ASHB1)  ; 

INLINE(«FFFfl”)  ; 

INLINE  (XORIO)  : 

INLlNE(MOV,  0,  0,  HASH^^VAL); 
HASH_VAL  :=  (HASH_VAL  5 »00FF")  ; 
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3.2.35  Hash  (HASH) 


The  Hash  CPC,  HASH,  is  a kernel  level  internal  SKCPP  function 
that  is  directly  called  by  both  user  level  and  other  kernel  level 
internal  functions.  It  is  written  in  Project  SUE  System  Language, 
including  the  use  of  the  Inline  feature. 

3.2.35.1  Description 


HASH  converts  the  disk  address  of  a segment  input  to  it  into  the 
aste#  of  the  segment,  if  the  segment  is  active.  It  hash  codes  the 
16-bit  disk  address  into  an  8-bit  index  into  HASH_^TABLE  equal  to 
the  exclusive  or  of  the  high  order  8-bits  with  the  low  order 
8-bits  of  the  address.  This  index  is  then  used  to  retrieve  the 
associated  aste#.  If  the  disk  address  stored  in  the  AST  for  this 
aste#  matches  the  input  disk  address,  this  is  the  required  aste#. 

If  it  does  not  match,  any  chains  caused  by  hashing  collisions  must 
be  run.  This  process  continues  until  a match  occurs  or  an  aste#  of 
zero  is  retrieved,  indicating  that  the  segment  is  not  active. 

Function:  HASH 

Possible  values:  aste#  or  0 

Initial  value:  .0 

Parameters : HASH(disk_address) 
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3.2.35.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

DELETE  None 

START? 

CHANGEO 

DELETSEG 

SOADD 

COMECT 

3.2.35.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  HASH.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


HASH_TABLE  DISK_ADR  HASH_VAL 

AST_DISK  ASTE# 

AST_CHAIN 

Constants 

ASHRl 

MOV 

XORIO 

3.2.35.5  Limitations 


None 


3.2.35.6  Listing 

DATA  HASH  (DISK^ATR)  RETURNS  (ASTF#); 


PROGRAM  HASH; 

DECLARE 

WORT)  (HASH_VAL)  ; 
/♦  HASH  DISK^ADR 


♦/ 
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INLINF(M0V,  DISK^ADR,  0,  0); 

INLINP.  (MOV,  0,  07  0,  1)  ; 

INLTNP(ASHR  1)  ; 

INtINE(  ”FPF8")  ; 

INLINE  (XOR10)  ; 

INLTNE(nOV,  0,  0,  HASH^VAL)  ; 

ASTEt  :*  HASH_TABLE  (HASH^VAL  S "OOEF”): 

CYCLE 

RETURN  WHEN  ASTE#  = 0; 

....  RETURN  WHEN  AST^DtSK  ( AST ’=’# ) = DISK_ADR  ; 

ASTE#  :=  AST^CHAIN (ASTE#) ; 

END; 

3.2.36  Load  Segment  Descriptors  (LSD) 

The  Load  Segment  Descriptors  CPC,  LSD,  is  a kernel  internal 
SKCPP  function  that  is  called  by  both  user  level  external  functions 
and  kernel  level  internal  functions.  It  is  written  in  PAL-11 
assembly  language. 

3.2.36.1  Description 

LSD  constructs  segmentation  descriptors  for  a specified  segment 
and  loads  them  in  a specified  register.  It  converts  the  AST^SIZE 
into  a form  useable  in  the  segment  length  filed.  Since  the  size  is 
in  blocks  which  omit  the  eight  low-order  bits  of  the  length,  and  the 
descriptors  omit  only  six  low-order  bits,  the  size  is  multiplied  by 
2 . It  is  decremented  because  of  the  MMU's  excess  one's  notation. 

The  size  word  is  then  rotated  so  that  the  8 low-order  bits  become  the 
high-order  bits.  The  register  at  REG^LOC  is  assigned  the  inclusive 
or  of  the  size  word  and  MODE;  thus,  its  high  order  byte  is  the 
segment  length  field  and  its  low  order  byte  contains  written-into 
and  access  control  information.  REG_L0C,  the  pointer  to  the 
descriptor  register^ is  increased  by  40g  to  point  to  the  address 
register.  ASTE//  is  multiplied  by  2 before  being  used  as  a pointer 
to  the  AST_ADR  array  of  two-byte  words.  The  address  is  converted 
from  memory  blocks  to  a descriptor  address  with  six  low-order  bits 
omitted  and  assigned  to  the  segment  address  register.  This  completes 
the  operation. 

Function:  LSD 

Parameters:  LSD  (process//,  block//,  reg//,  mode) 

Effect: 

PS_SAR  (process//,  reg//)  = block//; 

PS_SDR  (process//,  reg//)  = MIB_SIZE (block//)  , mode; 
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3.2.36.2 


Flow  Chart 
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3.2.36.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
Called  By 


ENABLE 
GETDIR 
READIR 
WRITEDIR 
SOADD 
DSEARCH 
INITSEG 
START? 

RUN 

3.2.36.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  LSD.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 

Data  Base  References 

Global  References  Function  Parameters  Local  References 

AST_SIZE  ASTE#  ASTSIZE 

AST_ADR  REGJLOC  ASTDR 

MODE 

Cons tants 

ADD 

ASL 

DEC 

JMP 

MOV 

MOVB 

SWAB 

3.2.36.5  Limitations 
None 


Calls 

None 
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3.2.36.6  Listing 


PAGE  1 


STflT  SOURCE  STATEMENT 


1 

R0=%0 

2 

B1  = %1 

3 

R2=*2 

4 

R3  = %3 

5 

R4=%4 

6 

R5=%5 

7 

R6=X6 

8 

PC=%7 

9 

• 

10 

• 

LSD: 

LOAD  SEGMENT  DESCRIPTOR (ASTE # , REG  LOC,  MODE); 

11 

f 

12 

ASTACR 

=007400 

;BASE  OF  AST_ADR  ARRAY 

13 

ASTSIZ 

=005000 

;BASE  OF  AST_SIZE  ARRAY 

1^4 

f 

15 

LSD: 

BOV 

R6,R5 

;SUE 

16 

ADD 

#10, R5 

;ENTRY 

17 

BOV 

PC,  (R5)  ♦ 

;SEQUENCE 

18 

BOV 

-4 (R5) ,R0 

; ASTE# 

19 

BOVB 

ASTSIZ  (RO) ,R1 

;SIZE  OF  THE  SEGMENT 

20 

ASL 

R 1 

;MY  BLOCKS  TO  THEIR'S 

21 

ASL 

R1 

22 

DEC 

R1 

;MMU  USES  EXCESS  ONES  NOTATION 

23 

SWAB 

R1 

;SLF  IS  IN  LEFT  BYTE  OF  DESCRIPTOR  REG 

2^ 

BIS 

-10(R5)  ,R1 

;CR  IN  A,  W,  ED,  AND  ACF  BITS 

25 

BOV 

-6  (R5) ,R2 

;P0INTER  TO  DESCRIPTOR  REG 

26 

BOV 

R1,  (R2) 

;STORE  DESCRIPTOR 

27 

ADD 

# 40, R2 

;POINT  TO  ADDRESS  REGISTER 

28 

ASL 

RO 

;ARRAY  OF  WORDS 

29 

BOV 

ASTAER (RO) ,Rl 

;BASE  ADDRESS  OF  SEGMENT 

30 

ASL 

R1 

;BY  BLOCKS  TO  THEIR«S 

31 

ASL 

R 1 

32 

BOV 

R1,  (R2) 

;STORE  IN  SEGMENTATION  REGISTER 

33 

JBP 

S-12  (R5) 

;DONE 

34 

. END 

LSD 

‘3.2.37  Disk  I/O  (DISKIO) 


The  Disk  I/O  CPC,  DISKIO,  is  a kernel  level  internal  SKCPP 
function  that  is  called  by  other  kernel  level  internal  functions. 

It  is  written  in  PAL-11  assembly  language. 

3.2.37.1  Description 

DISKIO  initiates  a disk  input/output  operation.  If  RFDSC,  the 
disk  control  status,  indicates  the  disk  is  not  ready  then  there  is 
a hardware  failure,  which  is  beyond  the  scope  of  the  Security  Kernel. 

Otherwise,  it  converts  the  parameters  into  forms  useable  by  the 
disk.  Multiplying  the  SIZE  in  256-byte  blocks  by  128  converts  the 
units  to  words  and  negating  the  result  yields  its  two’s  complement 
which  the  disk  requires.  This  value  is  used  as  RFDWC,  the  disk 
word  count.  DISKIO  then  restores  the  eight  low  order  0’s  to  the 
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DISK_ADDRESS  by  multiplying  it  by  2 . It  lets  RFDAR,  the  disk 
address  register,  and  RFDAE,  the  disk  address  extension  error 
register,  equal  this  result.  The  current  memory  address,  RFGMA, 
is  found  by  restoring  the  eight  low-order  bits  to  MEMORY_ADDRESS . 
The  disk  control  status  word  is  then  constructed  by  computing  the 
inclusive  or  of  any  extended  bits  shifted  four  digits  to  the  left 
with  MODE.  Having  thus  started  the  disk,  DISKIO  returns. 

Function:  DISKIO 

Parameters:  DISKIO  (as  te//,  block//,  command) 

Effect: 

DISK_ADR  = AST_DISK(aste//)  ; 

DISK_COirNr  = AST_SIZE(aste//) 

MEM_ADR  = block//; 

DISK  COMMAND  = command,  ENABLE_INTERRUPTS ; 
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3.2.37.2 


Flow  Chart 


TEMPI  - SIZE  \ 

T , 

TEMPI  = TEJIPI  *2^  I 

, TEMPI  = TEMPI  1 

RFWC  = TEMPI  1 

TEMP0  = 0 1 

i , 

TEMPI  = DISK_ADDRESS  | 

TEMP0,  TEMPI  = TEMPI  *2^  | 

♦ 

RFDAE  = TEMP0  | 

? “ 

RFDAR  = TEMPI  I 

T 

TEMP0  = 0 1 

' — ■ 

TEMPI  = MEMORY  ADDRESS  | 

» . 

TEMP0.  TEMPI  = TEMPI  *2®  | 

— —» 

RFCMA  = TEMPI  1 

t 

TEMP0  = TEMP0  *2^  | 

TEMP0  = TEMP0  V MODE  | 

^ , 

RFDSC  = TEMP0  I 

Q RETURN  ^ 
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3.2.37.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

SWAP IN  None 

SWAPOUT 

3.2.37.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DISKIO.  For  data  base  references 

refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


None  DISK_ADDRESS  RFDSW 

MEMORY_ADDRESS  RFWC 

SIZE  RFCMA 

MODE  RFDAR 


RFDAE 

Constants 

ADD 

CLR 

JMP 

MOV 

NEG 

3.2.37.5  Limitations 

The  disk  control  status  must  be  negative  for  DISKIO  to  operate. 
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3.2.37.6  Listing 


PAGE  1 


STMT  SOURCE  STATEMENT 


1 R0=*0 

2 R1=X1 

3 F2=%2 

4 R3=^13 

5 R4=%4 

6 R5=X5 

7 r6=X6 

8 FC=1t7 

9 ; 


10 

; DlSKIO(CISK_ADDRESS,  MEHORY^ADDRESS,  SIZE,  MODE); 

1 1 

12 

RFDSC=177460 

• 

DISK  CONTROL  STATUS 

13 

RFWC=177462 

f 

WORD  COUNT 

14 

RFCMA=177464 

< 

CURRENT  MEMORY  ADDRESS 

15 

RFDAR=177466 

DISK  ADDRESS  REGISTER 

16 

RFDAE=177470 

• 

DISK  ADDRESS  EXTENSION  ERROR  REGISTER 

17 

18 

DISKIO:  MOV 

Re,R5 

SUE 

19 

ADD 

#12, R5 

ENTRY 

20 

MOV 

PC,  (R5)  ♦ 

SEQUENCE 

21 

TSTB 

a#RFDSC 

DISK  MUST  BE  READY 

22 

ERROR:  BGE 

ERROR 

OTHERWISE  INFINITE  LOOP 

23 

MOV 

-10  (R5)  ,R1 

SIZE  OF  SEGMENT  IN  256  BYTE  BLOCKS 

24 

.WORD 

072127  ;ASH  R 1, #7 

SLL  R1,7 

25 

. WORD 

000007 

SIZE  OF  SEGMENT  IN  WORDS 

26 

NEG 

R1 

DISK  REQUIRES  2’ S COMPLEMENT  OF  COUNT 

27 

MOV 

R1,d)#RfWC 

MOVE  COUNT  INTO  WORD  COUNT  REGISTER 

28 

CLR 

RO 

SET  OP  FOR  SPLITTING  DISK  ADDRESS  INTO  2 

29 

MOV 

-4  (R5)  ,R1 

DISK  ADDRESS  WITH  8 LOW  ORDER  0*S  REMOVED 

30 

. WORD 

073027  ;ASHC  RO , # 10 

SLDL  R0,R1,8 

31 

.WORD 

000010 

ADD  IN  THE  LOW  ORDER  0«S 

32 

MOV 

RO, 2#RFDAE 

MOVE  DISK  ADDRESS 

33 

MOV 

R1  ,d)#PFDAR 

TO  CONTROL  REGISTERS 

34 

CLR 

RO 

SET  UP  FOR  SPLITTING  MEM  ADDRESS  INTO  2 

35 

MOV 

-6(R5)  ,R1 

MEM  ADDRESS  WITH  8 LOW  ORDER  O'S  REMOVED 

36 

.WORD 

073027  ;ASHC  R0,#10 

SLDL  R0,R1,8 

37 

.WORD 

000010 

ADD  IN  THE  LOW  ORDER  0*S 

38 

MOV 

R1,a#RFCMA 

MOVE  LOW  ORDER  WORD  INTO  CONTROL  REGISTER 

39 

.WORD 

072027  ;ASH  P0,#4 

SLL  R0,4  - MOVE  EXTENDED  BITS  TO  RIGHT 

40 

, WORD 

000004 

41 

BIS 

-12  (R5) ,R0 

;OR  IN  INT.  ENABLE,  FUNCTION,  AND  GO  BITS 

42 

MOV 

R0,d>#RFDSC 

;START  DISK 

43 

JMP 

d-14(R5) 

;RETURN 

44 

.END 

DISKIO 

3.2.38  Disk  Allocation  (DALLOC) 

The  Disk  Allocation  CPC,  DALLOC,  is  a kernel  level  internal  SKCPP 
function  that  is  only  called  by  a user  level  external  function. 

It  is  written  in  PAL-11  assembly  language. 

3.2.38.1  Description 

DALLOC  allocated  space  on  the  disk  for  a segment  being  created  and 
sets  NEXT_piSK_ADDRESS  to  the  address  of  the  space  allocated.  Its 
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parameter  is  the  address  of  the  bit  maps  table  for  segments  of  the 
desired  size;  at  this  time,  only  size  2,  IK  bytes,  is  implemented. 

The  bit  maps  table  has  four  entries:  the  starting  and  ending 
addresses  of  the  bit  map,  the  base  disk  address,  and  the  shift 
factor,  log2  size. 

DALLOC  searches  the  bit  map  for  a zero  bit,  which  indicates  a 
segment  not  in  use.  It  sets  all  the  bits  of  TEMP4  to  1.  Then, 
starting  at  the  starting  address,  it  checks  if  the  bit  map  word 
equals  TEMP4.  If  not,  it  had  found  a word  with  a zero  bit,  and 
can  proceed;  otherwise,  it  continues  its  search.  If  it  reaches  the 
end  of  the  bit  map  without  finding  a zero  bit,  the  error  is 
unrecoverable,  so  it  halts. 

After  finding  a word  which  contains  a zero  bit,  it  finds  a 
word  number.  Since  the  search  operates  in  auto-increment  mode, 

DALLOC  subtracts  2 from  TEMP2  to  obtain  the  address  of  the  word 
with  the  free  bit.  TEMP 3,  the  byte  number  of  the  word  within  the 
bit  map,  is  set  to  TEMP2  minus  the  starting  address  of  the  bit  map. 

It  then  searches  the  word  for  its  first  zero  bit.  It  repeatedly 
performs  right  shifts,  incrementing  TEMP4  each  time,  while  the 
carry  bit  is  set  from  the  rightmost  bit  before  the  right  shift,  TEMP4 
now  holds  the  number  of  the  first  bit  set  to  zero. 

DALLOC  now  sets  the  bit  for  the  free  segment  it  found  to  "in 
use".  It  "or's"  the  word  it  found  with  a word  containing  a 1 in 
the  bit  corresponding  to  the  first  0 bit. 

DALLOC  now  translates  the  byte  number  and  bit  number  it  has 
found  into  a disk  address.  The  number  of  the  segment  in  the  disk 
area  has  the  word  number  as  its  high  order  bits  and  the  bit  number 
as  its  low  order  bits.  Multiplying  this  by  the  size  of  the  segments, 
that  is,  2 SHIFT_F ACTOR  yields  the  offset  of  the  allocated  disk 
area  from  the  base  of  the  disk  area  for  segments  of  this  size. 

Adding  BMT(3),  the  BASE_DISK_ADR  to  the  offset  produces  a disk 
address.  DALLOC  returns  this  value  to  the  user. 

Function:  DISK_ALLOC 

Parameters : DISK_ALLOC (size) 

Effect: 

(3k)  ((’BIT_MAP’ (size,  k)  = 0)  & 

(BIT_MAP(size,  k)  = 1)  & 

(NEXT_DISK_ADDRESS  ^ BASE(size)  + k^size)); 
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3.2.38.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3. A. 
Called  By  Calls 

CREATE  None 

3. 2. 38. A Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DALLOC.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 
For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


BMT_SIZE  BMT_ADR  DISK_ADR 

Constants 


ADD 

ASR 

INC 

JMP 

MOV 

SUB 

3.2.38.5  Limitations 
None 
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3.2.38.6  Listing 


PAGE 


1 


STMT  SOURCE  STATEMENT 


1 

R0  = *0 

2 

R1=%1 

3 

R2  = t2 

4 

R3=!{3 

5 

R4=X4 

6 

R5=*5 

7 

R6=%6 

8 

PC=X7 

9 

• 

10 

t 

DISK_ADR  :=  DALLOC (BMT_A 

11 

t 

12 

t 

13 

DALLOC: 

NOP 

14 

MOV 

R6,  R5 

15 

ADD 

#4,R5 

16 

MOV 

PC,  (R5) ♦ 

17 

SUB 

#2,R6 

18 

MOV 

R4,-  (E6) 

19 

MOV 

-4(E5)  ,R0 

20 

MOV 

R0,R1 

21 

MOV 

(R1)  ♦■,R2 

22 

MOV 

(R1) ,R3 

23 

MOV 

# 177777, R4 

24 

V 

25 

WLOOP: 

MOV 

(R2) +, R1 

26 

CMP 

R1  ,R4 

27 

BNE 

WFOUND 

28 

CMP 

R2,  R3 

29 

BIT 

WIOCP 

30^ 

HALT 

31 

« 

32 

WFCUND: 

SUB 

#2,R2 

33 

MOV 

R2,R3 

34 

SUB 

(RO)  ,F,3 

35 

« 

36 

BLOOP: 

INC 

R4 

37 

ASR 

R1 

38 

BCS 

BLOOP 

39 

f 

40 

t 

NOW  MUST  TURN  BIT 

ON  IN 

41 

t 

42 

MOV 

# 1,  R 1 

4 3 

.WORD 

072104  :ASH 

R1,R4 

44 

BIS 

51,  (52) 

45 

t 

46 

f 

TRANSLAIE  (WORD#, 

BIT#, 

47 

48 

. WORD 

072327  ;ASH 

R3,3 

49 

.WORD 

3 

50 

ADD 

R4,  R3 

51 

MOV 

6 (RO) ,R2 

52 

. WORD 

072302 

H)  : 


;SUE 

;ENTRY 

.•SEQUENCE 

;DON'T  NEED  R4 

;GET  PARAMETER 

;ADDRESS  OF  BIT  MAP  TABLE 

;START  OF  BIT  MAP 

;END  OF  BIT  MAP 

;ALL  BITS  SET 

;SEARCH  BIT  MAP 
;FCR  A 0 BIT 
;FOUND  ONE 
;END  OF  MAP? 

;NO 

; UNRECOVERABLE  ERRCR 

;ADDRESS  OF  WORD  WITH  FREE  BIT 

;ITS  WORD  NUMBER  (RELATIVE  TO  BASE) 

;SEARCH 
;FOR  FIRST 
;0  BIT. 

MAP 

;ONE  BIT  ON 
;SHIFT  BIT  OVER 
;SET  USE  BIT 

SIZE)  INTO  A DISK  ADDRESS 

;SHIFT  WORD  NUMBER  OVER  3 BITS 

;ADD  IN  BIT  NUMBER 
;SHIFT  FACTOR 
;ASH  R3,R2 
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PAGE  2 


STMT  SOURCE  STATEMENT 


53 

54 

55 

56 

57 


ADD  4 (R0)rR3 

MOV  R3,  4 (R5) 

MOV  (F6) ♦^Ra 
JMF  a“6(R5) 
.ENC  DALIOC 


;ACD  IN  BASE  ADDRESS  OF  DISK  AREA 
;RETDRN  TO  USER 
; RESTORE 
;DONE! ! 


3. 2,39  Free  Disk  (DFREE) 

The  Free  Disk  CPC,  DFREE,  is  a kernel  level  internal  SKCPP 
function  that  is  called  by  another  kernel  level  internal  function. 

It  is  written  in  PAL-11  assembly  language. 

3.2.39.1  Description 

DFREE  translates  a disk  address  into  a bit  address  and  resets 
the  appropriate  bit  to  mark  the  disk  area  free.  It  subtracts  the 
base  disk  address  in  the  bit  maps  table  from  the  disk  address 
supplied  to  obtain  the  relative  address  of  the  disk  area  to  be 
freed.  Shifting  the  relative  address  to  the  right  by  the  shift  factor 
is  the  equivalent  of  dividing  by  the  size:  it  yields  the  number 
of  the  segment  within  the  disk  space.  DFREE  then  performs  a 
combined  right  shift  on  this  result.  This  separates  the  four  low- 
order  bits,  identifying  the  bit  number,  from  the  high  order  bits, 
which  identify  the  word#  of  the  segment's  bit  in  the  bit  map.  The 
bit#  is  then  moved  to  the  right,  and  since  the  left-most  bit  is  dup- 
licated in  the  right  shift,  the  12  left  bits  of  the  bit#  are  cleared. 
DFREE  creates  a word,  TEMPI,  with  only  the  bit  corresponding  to  the 
bit#  set  to  1.  It  finds  the  relative  byte  address  of  word#  by 
^Rultip lying  word#  by  2,  and  the  absolute  address,  TEMP2  by  adding 
the  bit  map  starting  address  which  it  finds  in  the  bit  maps  table. 

It  then  uses  TEMPI  to  clear  the  bit  at  TEMP2  which  corresponds  to  the 
area  to  be  freed.  This  updates  the  bit  map  and  marks  the  disk 
space  not  in  use. 

Function:  DISK__FREE 

Parameters : DISK_FREE (disk_address , size) 

Effect: 

Let  k = (disk_address  - BASE (size) ) /size) ; 

BIT__MAP(size,  k)  = 0; 
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3.2.39.2 
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3 • 2 . 39 • 3 Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 


Called  By 

Calls 

DELETSEG 

None 

3.2.39.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  DFREE.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 

Global  References 

Function  Parameters  Local  References 

BMT_SIZE 

DISK  ADR 

BMT_ADR 

Constants 

ADD 

ASL 

JMP 

MOV 

NEG 

SUB 

3.2.39.5  Limitations 

None 
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3.2.39.6  Listing 

STHT  SODRCE  STATEMENT 


PAGE  1 


1 

2 

3 

4 

5 

6 

7 

8 
9 


R0=3t0 
R1  = t1 
R2-:*2 
R3=X3 
R4=t4 
R5=t5 
R6=t6 
PC=t7 


10  ; 

1 1 

DFREE(DISK_ADR,  BMT_ADE) 

, 1 

12  DFREE: 

NOP 

13 

MOV 

E6,E5 

;SUE 

14 

ADD 

#6,E5 

;ENTRy 

15 

MOV 

PC,  (R5)  ♦ 

;SEQUENCE 

16 

SUB 

#2,R6 

17 

MOV 

-4 (E5) ,E2 

;DISK  ADDRESS 

18 

MOV 

-6  (R5)  ,R0 

;BHT  ADDRESS  PARAMETER 

19 

SUB 

4 (RO) ,E2 

;SUTRACT  OUT  BASE  DISK  ADDRESS 

20 

MOV 

6(E0)  ,E1 

;GET  SHIFT  FACTOR 

21 

NEG 

R1 

;NEGATIVE  FOR  RIGHT  SHIFT 

22 

• MORD 

072201 

;SRL  R2,F1 

23 

.UORD 

073227  ;ASHC  R2,-4 

;SRDL  R2,3,4 

24 

.»ORD 

-4 

;SEPERATE  WORD#,  BIT# 

25 

.WORD 

072327  ;ASH  R3,-12 

;SRL  R3,  12 

26 

• WORD 

-14 

;GET  BIT  NUMBER  OVER  TO  RIGHT 

27 

BIC 

#177760, R3 

;ASH  IS  ARITHHETICr  NOT  LOGICAL, 

28 

MOV 

# 1,  HI 

;ONE  1 BIT 

29 

• WORD 

072103  ;ASH  E1,R3 

;SBL  R1,0(R3) 

30 

ASL 

R2 

;H0RD#  TO  BYTE# 

31 

ADD 

(RO) ,E2 

;ADD  IN  START  ADDRESS  OF  BIT  HAP 

32 

BIC 

R1,  (E2) 

;CLEAR  USE  BIT 

33 

JHP 

a-10  (R5) 

;DONE 

34 

.END 

DFREE 

3.2.40  Sleep  (SLEEP) 

The  Sleep  CPC,  SLEEP,  is  a kernel  level  internal  SKCPP  function 
that  is  called  by  both  another  kernel  level  internal  function  and 
user  level  external  functions.  SLEEP  calls  a kernel  level  internal 
function.  It  is  written  in  Project  SUE  System  Language,  including 
the  Inline  feature. 


3.2.40.1  Description 

SLEEP  finds  the  next  process  which  is  ready  to  run.  Using  Inline 
code,  it  sets  the  priority  level  low  to  enable  interrupts.  Then  it 
loops  through  the  processes,  starting  with  NEXT_PROCESS  equal  to 
THE_CURRENT_PROCESS  + 1,  looking  for  a ready  process.  It  begins  the 
cycle  by  checking  if  NEXT_PROCESS  is  greater  than  PROCESS//_MAX. 

If  so,  it  has  reached  the  last  process  and  goes  back  to  the  beginning 
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by  letting  NEXT_PROCESS  equal  PROCESS#_MIN.  Next,  if  PT_ FLAGS 
(NEXT_PROCESS)  logical  and  PT_FLAGS_MASK  equals  READY,  it  has  found 
a ready  process  and  leaves  the  process  finding  loop.  Otherwise,  it 
increments  NEXT_PROCESS  and  keeps  looking. 

If  NEXT__PROCESS , the  ready  process  it  found,  is  not  THE  CURRENT 
PROCESS,  SLEEP  calls  RUN.  The  segmentation  descriptors  of  the 
current  porcess  are  saved  in  the  PT  and  those  of  NEXT_PROCESS,  which 
becomes  the  new  current  process,  are  loaded.  Otherwise,  SLEEP 
simply  returns  control  to  the  calling  program. 

Function:  SLEEP 

Parameters:  SLEEP 
Effect: 

IF  ( (3 process#) (PT_FLAGS (process#)  = READY); 

THEN: 

IF  process#  = TCP; 

THEN:  RUN (process#) ; 

END; 

ELSE:  SLEEP 

END; 

3.2.40.2  N/A 

3.2.40.3  Interfaces 

Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 

Called  By  Calls 

STOPP  RUN 

IPCRCV 

P 


3.2.40.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  SLEEP.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  I,  List  of  Constants,  in 
subparagraph , 3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


PT  FLAGS 


None 


NEXT  PROCESS 


Global  References 


Function  Parameters 


Local  References 


THE  CURRENT  PROCESS 


Constants 

PROCESS#_MAX 

PROCESS#_MIN 

PT_FLAGS_MASK 

READY 

SPILLOW 

3.2.40.5  Limitations 
None 

3.2.40.6  Listing 

DATA  SLEEP; 

DECLARE 

WORD  (NEXT_PROCESS) ; 


RHOGRAM  SLEEP; 

INLINE(SPLLOH) ; 

/♦  FIND  NEXT  PROCESS  THAT  CAN  RUN  - ROUND  ROBIN  SCHEDULER 
NEXT_PROCESS  :=  T HE_CU R RENT^PROCESS  ♦ 1; 

CYCLE 


IF  NEXT_FROCESS  > PROCESS#_M AX ; 

THEN:  NEXT^PROCESS  :=  PEOCESS#_?l  IN ; 

END; 

IF  (PT_FLAGS  (NEXT_PROCESS)  ' S PT_FL AGS_nASK)  = READY; 
THEN: 

....  EXIT; 

END; 

NEXT_PROCESS  :=  NEXT^PROCESS  ♦“I; 

END; 

IF  NEXT_PBOCESS  THB_CURRENT_PROCESS  ; 

THBN:"rON  (NEXT_PROCESS)  ; 

END; 


3.2.41.  Run  (RUN) 

The  Run  CPC,  RUN,  Is  a kernej  level  Internal  SKCPP  function  th4t 
is  called  by  another  kernel  level  internal  function.  RUN  calls 
only  kernel  level  internal  functions.  It  is  written  in  Project 
SUE  System  Language. 


♦/ 
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3.2.41.1  Description 


RUN  saves  information  about  the  current  process  and  prepares  to 
run  the  next  process.  Using  Inline  code,  it  sets  the  priority 
level  high  to  block  Interrupts. 

It  then  looks  for  changes,  looping  through  all  segmentation 
registers,  REG#  going  from  0 to  REG#_MAX.  It  sets  X to  the  correct 
number  to  access  the  segmentation  registers:  REG#  + REG  CONSTANT 
if  REG#  is  greater  than  CROSS_REG#  and  REG#  otherwise.  RUN  then 
checks  if  the  change  bit  is  set,  if  SDR(X)  logical  and  SDR_CHANGE_ 
MASK  equals  SDR_CHANGED.  If  so,  VAR  is  assigned  the  value  of 
SAR(X) , the  main  memory  address  of  the  segment.  Since  the 
segmentation  registers  omit  the  six  low  order  bits  of  the  address 
(assumed  to  be  0)  and  the  memory  block  table  omits  the  eight  low 
order  bits  thereof,  two  arithmetic  shift  rights  are  performed, 
using  Inline  code,  on  VAR.  Then,  if  VAR  is  less  than  END_BLOCK#, 
the  change  bit  in  the  AST  entry  for  the  segment  is  set.  VAR  gets 

the  aste#  from  MBT_AST (VAR) . AST CHANGE (VAR)  is  then  reset  to 

AST_CHANGE(VAR)  logical  or  MBT_CHANGED.  RUN  then  continues  its 
loop  through  the  segmentation  registers. 

Function:  RUN 

Parameters:  RUN (process#) 

Effect: 

IF  (reg#) (SDR(reg#))  & SDR_CHANGE_MASK  = SDR_CHANGED; 

THEN: 

Let  VAR  = 4*SAR(reg#); 

Let  block#  = MBT_AST (var) ; 

AST_CHANGE (block#)  = 'AST_CHANGE' (block#)  AST_CHANGED; 

END; 

PT_KSAR1(TCP)  = KSARl; 

PT_KSDR1(TCP)  = KSDRl; 

LSD (PT_PS_ASTE# (process#)  PS_KSR_ASR, WRITE) ; 

Next,  RUN  saves  the  kernel  segmentation  register  1.  It  sets 
(THE_CURRENT_PROCESS)  to  KSDRl  and  PT_KSAR1(THE_CURRENT_PR0CESS) 
to  KSARl.  It  then  loads  the  descriptor  for  the  next  process' 

PS  at  PS_KSAR_ADR  with  a call  to  LSD.  Finally,  RUN  calls  SWAP,  to 
make  the  next  process  the  current  process. 

3.2.41.2  N/A 
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3 . 2 . 41 • 3 Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3, 4. 

Called  By  Calls 

SLEEP  LSD 

SWAP 


3.2.41.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  RUN.  For  data  base  references  refer 
to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph  3.3.1. 

For  constants  refer  to  Table  I,  List  of  Constants,  in  subparagraph 

3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


PT_KS ARl  NEXT_PROCE  S S X 

PT_KSDR1 

AST_CHANGE 

MBT_ASTE 

SDR 

SAR 

THE_CURRENT_PROCESS 
Constants 
ASR 

AST_CHANGE 
CROSS_REG// 

END_BLOCK// 

PS_KSR_ADR 
REG_CONSTANT 

3.2.41.5  Limitations 
None 

3.2.41.6  Listing 


REG//_MAX 

SDR_CHANGE_MASK 

SDR_CHANGED 

SDR_WRITE_ACCESS 

SPLHIGH 

SPLLOW 
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DATA  HUN (NFXT_FROCESS) ; 

DECLARE 

PROCEDUPF  ACCEPTS  (WORD,  WORD),  (SWAP), 
WORD  (PEG#,  X,  VAR); 


PRCGFAB  RUN; 

/♦  BLOCK  INTERRUPTS  * 

INLINE(SPLHIGH)  ; 

/♦  NO  NEED  TO  SAVE  PROCESS  REGISTERS  BECAUSE  A COPY  IS  IN  THE  PROCESS  SEGMENT,  ♦ 
♦ BUT  CHANGE  BIT  BUST  BE  INSPECTED 

DO  REG#  :=  0 TO  REGt^MAX; 

IF  REG#  > CR0SS_RFG#; 

THEN;  X :=  REG#  + REG_CONST ANT ; 

FLSF:  X :=  REG#; 

END; 

IF  (3DR(X)  6 SDP_CHANGF_MASK)  = SDR_CHANGED; 

THEN:  VAR  :=  S AR  (X)  ; 

INLINE  (ASR,  VAR);  /*  THEIR  BLOCKS  TO  BINE  ♦/ 

INLINE (ASR,  VAR) ; 

IF  VAP  < END_BLOCK#; 

THEN:  VAR  ;=  B RT_  AST  E ( V AP)  ; 

AST_CHANG5  (VAP)  :=  ( AST_CHANGE  (VAR)  1 AST_CHANGED) ; 

END; 

END; 

END; 

/♦  SAVE  KSR1 

PT_KSAR 1 (THE_CURRENT_PROCESS)  KS AP 1 ; 

PT^KSDR 1 (THE_CURRENt”pROCKSS)  :=  KSDR1; 

/♦  LOAD  DESCRIPTOR  FOP  NEXT  PROCESS'S  PS 

LSD (PT_PS_ASTE# (NEXT_PROCESS) , PS_KSR_ADR,  SDR_WRITE_ACCESS) : 

/♦  CLEANER  (AND  FASTER)  TO  DO  REAL  SWAP  IN  PAL 

SWAP  (THE_CORRPNT_PROCESS,  NEXT^PROCESS)  ; 

INLINE  (SPLLOW)  ; 

3.2.42  Swap  (SWAP) 

The  Swap  CPC,  SWAP,  is  a kernel  level  internal  SKCPP  function 
that  is  called  by  one  other  kernel  level  internal  function.  It  is 
written  in  PAL-11  assembly  language. 

3.2.42.1  Description 

SWAP  switches  from  the  current  process  supplied  to  the  next 
process,  as  specified.  It  multiplies  the  current  process  parameter 
by  2 to  access  the  arrays  of  2-byte  words.  It  then  saves  the  contents 


♦/ 


♦/ 


♦/ 
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of  general  purpose  registers  0 to  6 in  the  process  table. 

Next,  It  enters  NEXT_PROCESS  at  the  address  of  TCP,  as  the 
current  process.  The  next  process  parameter  is  then  doubled  to 
access  the  arrays  of  words. 

SWAP  then  loads  the  segmentation  registers  from  the  new 
current  process  *s  process  segment.  It  loops  through  the  supervisor 
registers,  setting  SAR0  through  SAR7  equal  to  PS_SAR(0)  through 
PS_SAR(7).  Similarly  it  loops  through  the  user  registers  and  loads 
SAR8-15  and  SDR8-15. 

It  then  loads  kernel  segmentation  registers  KSRl,  2,  and  3 from 
the  current  process's  entry  in  the  process  table.  General  purpose 
registers  4 through  6 are  also  filled  in  from  the  process  table. 

SWAP  now  checks  if  the  current  process  is  a new  process.  If 
R5  is  non-zero,  the  process  is  not  new,  and  SWAP  returns  to  the 
kernel.  Otherwise,  it  prepares  to  return  out  to  the  user.  It 
clears  registers  0 through  3.  To  R4  it  assigns  a pointer  to  the 
static  link,  and  R6  gets  the  kernel  stack  pointer.  The  user  PSW, 
the  PC,  the  user  R6,  and  the  pointer  to  the  static  link  are  pushed 
onto  the  stack.  The  pointer  to  the  static  link  is  then  popped 
from  the  stack  to  the  static  link  and  the  user  R6  is  popped  from  the 
stack  to  R6  in  supervisor  mode.  A return  from  interrupt  is  then 
executed,  restoring  the  supervisor's  RC  and  PSW  from  the  kernel 
stack. 

Function:  SWAP 

Parameters : SWAP  (TCP_j>rocess// , process//) 

Effect: 

PT_KSDR3  (TCP-process//)  = KSDR3; 

PT_KSAR3(TCP_j>rocess//)  = KSAR3; 

PT_R4  (TCP-process//)  = R4; 

PT_R5  (TCP_j>rocess//)  = R5; 

PT_R6(TCP_j>rocess//)  = R6; 

(Vreg/0  ( (PS_SAR (process//,  reg//)  = SAR(reg//))  & 

(PS_SDR (process//,  reg//)  = SDR(reg//)) 

KSDRl  = PT_KSDR1  (process//); 

KSARl  = PT_KSAR1  (process//)  ; 

KSDR2  = PT_KSDR2  (process//)  ; 

KSAR2  = PT_KSAR2  (process//)  ; 

KSDR3  = PT_KSDR3  (process//)  ; 

KSAR3  = PT_KSAR3  (process//)  ; 

R4  = PT_R4  (process//)  ; 

R5  = PT_R5  (process//)  ; 

TCP  = process//; 
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IF  R5  = 0 
THEN:  RO  “ O; 

R1  = 0; 

R2  = 0; 

R3  = 0; 

R4  = ".3E0"; 

R6  = "43FE'‘; 

SUPERV_STATIC_LINK  +"3E0"; 
SR6  = "3DC"; 

PSE  = "7000"; 

PC  = "4000"; 


END; 
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3.2.42.3  Interfaces 


Refer  to  Figure  6,  Function  Call  Matrix,  in  paragraph  3.4. 
Called  By  Calls 

RUN  None 

3.2.42.4  Data  Organization 

Listed  below  are  Security  Kernel  data  base  references  and 
constants  used  by  the  function  SWAP.  For  data  base  references 
refer  to  Figure  5,  Data  Base  Reference  Matrix,  in  subparagraph 
3.3.1.  For  constants  refer  to  Table  1,  List  of  Constants,  in 
subparagraph  3.3.2. 


Data  Base  References 


Global  References  Function  Parameters  Local  References 


PTJCSDRl 

CURRENT_PROCESS 

PTKDRl 

PT_KSAR1 

NEXT_PROCESS 

PTKARl 

PT  KSDR2 

PTKDR2 

PT_KSAR2 

PTKAR2 

PT  KSDR3 

PTKDR3 

PT  KSAR3 

PTKAR3 

PT  R4 

PTR4 

PT  R6 

PTR5 

PS  SAR 

PTR6 

PS  SDR 

KSDRl 

SDR 

KSARl 

SAR 

KSDR2 

PSW 

Constants 

KSAR2 

KSDR3 

KSAR3 

SAR0 

SDR0 

SAR8 

SDRS 

TCP 

PSW 

ADD 

ASL 

CLR 


DEC 

JMP 

MOV 
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Limitations 


3.2.42.5 


None 


3.2.42.6  Listing 


STttT  SOURCE  STATEMENT 


PAGE 


K0  = «0 
B1=%1 
B2  = !{2 
R3=t3 
Ra=%4 
R5=X5 
R6=X6 
PC  = X7 


10 

SWAP{C0RRENT  PR 

11 

12 

13 

RELEVANT  DEFINI 

14 

15 

PTKDR1 =17000 

16 

PTKAB1=17040 

17 

PTKDR2=17100 

18 

PTKAB2=17140 

19 

PTKDR3=17200 

20 

PTKAB3=17240 

21 

PTR4=17300 

22 

PTR5=17340 

23 

PTE6=1 7400 

24 

25 

AND 

PS 

26 

27 

PSSCR= 20000 

28 

PSSAR=20040 

29 

» 

30 

T HARDWARE  REGS 

31 

\ 

32 

KSDR1=172302 

33 

KSAR  1=  172342 

34 

KSAR2=172344 

35 

KSDR2=172304 

36 

KS AE3=172346 

37 

KSDR3=172306 

38 

SAF0=172240 

39 

SDR0=172200 

40 

SAR8=177640 

41 

SDR8=1 77600 

42 

43 

AND 

FINALLY 

44 

45 

TCP=16S44 

46 

PSH=177776 

47 

t 

48 

SWAP:  MOV 

R6,B5 

49 

ADD 

♦ e,  R5 

50 

MOV 

PC,  {E5)  ♦ 

51 

MOV 

-4 (r5) ,R0 

52 

ASL 

RO 

;THE  CURRENT  PROCESS 


;SUE 

;ENTRY 

;SEQUENCE 

;CURRENT_PROCESS 

;ARRAYS  ARE  OF  WORDS 
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MT 

53 

54 

55 

56 

57 

58 

59 

60 

61 

62 

63 

64 

65 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 

78 

79 

80 

81 

82 

83 

84 

85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

96 

97 

98 

99 

100 

101 

102 

103 

104 


PAGE 


2 


SOURCE  STATEMENT 


SAVE  KSR3  OF  CURRENT  PROCESS  IN  PT 

MOV  a#KSCR3,PTKDR3 (RO) 

MOV  a#KSA83,PTKA83 (RO) 

SAVE  GPR4-6  IN  PT 

MOV  R4, PTR4  (RO) 

MOV  R5,PTR5(R0) 

MOV  R6,PTR6 (RO) 

MOV  -6  (R5) ,RO 
MOV  RO,d#TCP 
ASL  RO 


;NEXT_PROCESS 

;SAVE‘" 

;ARRAYS  ARE  WORDS 


LOAD  SRO-15  FOR  NEXT  PROCESS  FROM  ITS  PS 


FIRST  SRO-7 


MOV 

MOV 

MOV 

MOV 

MOV 

SR07:  MOV 

MOV 
DEC 
BNE 


#PSSAR,R1 
#ESSDR,R2 
« SARO,R3 
«SDR0,R4 
# 8,  R5 

(B1) ♦,(R3)* 
(R2) (R4)^ 

P5 

SE07 


;BASE  ADDRESS  OF  PS_SAR  ARRAY 
;PS_SDR 

;BASE  ADDRESS  OF  SUPERVISOR 
.•SEGMENTATION  REGISTERS  (SRO-7) 
;LOOP  CONTROL 


; NOW 

MOV 

MOV 

MOV 

SR815:  MOV 

MOV 
DEC 
BNE 


SR8-  15 

«SAR8,R3 

»SDR8,R4 

#8,R5 

(R1)  ♦r  (R3)  ♦ 
(R2)  ^,(84)* 
R5 

SR815 


BASE  ADDRESS  OF  USER 
SEGMENTATION  REGISTERS  (SR8-15) 
LOOP  CONTROL 


LOAD  KSRI,  2,  e 3 FROM  PT 

MOV  PTKDRI(RO) ,a#KSDR1 
MOV  PTKAR1  (RO) ,d#KSARl 
MOV  PTKAR2(R0) ,a#KSAB2 
MOV  PTKDR2(R0) ,a#KSDR2 
MOV  PTKAR3  (RO) ,a#KSAR3 
MOV  PTKDR3(R0) ,a#KSDR3 


AND  GPR4-6 

MOV  PTR4(R0)  ,R4 
MOV  PTR5  (RO) , R5 
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STMT 

105 

106 

107 

108 

109 

110 

111 

1 12 

1 13 

1 14 

115 

116 

1 17 

118 

119 

120 

121 

122 

123 

124 

125 

126 

127 

128 

129 

130 

131 


PAGE  3 


SOORCE  STATEMENT 

MOV  PTR6  (RO)  ,R6 

; IF  THIS  IS  NOT  A NEW  PROCESS  RETURN  INTO  KERNEL 

; ELSE  RETURN  OUT  TO  USER 


MOV 

R5,R5 

BEQ 

NEW 

.WORD 

230 

;SPL  LOW 

JMP 

a-10  (P5) 

CLR 

RO 

CLR 

R1 

CLR 

R2 

CLR 

R3 

MOV 

# 1740, R4 

' ;”3E0” 

MOV 

#41776, R6  .. 

;KERNEL  stack  POINTER  - 

MOV 

#070000 (R6) 

;US^R  PSW  - 

CM=S,  PM=U 

MOV 

#040000,-  (R6) 

;PC  - ”4000« 

t 

MOV 

#001734,-  (R6)  . 

;USER  R6 

MOV 

R4,-  (R6) 

:POINTER  TO 

STATIC  LINK 

MOV 

#010340,a#PSW  • 

;FOR  NEXT  INSTRUCTION 

.WORD 

006637  ;MTPI 

;SET  STATIC 

LINK  EQUAL  TO 

. WORD 

1740 

;POINTER  TO 

STATIC  LINK 

.WORD 

006606  ;MTPI'R6 

;SET  SUPERVISOR  MODE  R6 

RTI 

•END  SWAP 
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3. 3 Storage  Allocation 


The  Security  Kernel  consists  only  of  its  data  base  and  its  code. 
The  Executive  and  Listener  programs  as  well  as  the  Executive  stacks 
and  root  directory,  while  necessary  for  its  running  are  not  actually 
part  of  the  Security  Kernel.  The  Editor  and  Exerciser  (which  allow 
user  interaction)  while  desirable  are  not  necessary  to  the  running 
of  the  Security  Kernel;  their  core  space  may  be  used  for  storing 
directory  and  data  segments.  A memory  map  is  shown  in  Figure  4. 

Of  the  64k  words  of  core  storage  available,  the  Security  Kernel 
data  base  occupies  5K  words  and  its  code  occupies  8.75k  words.  The 
root  directory  requires  0.5K  words  of  core  and  the  hardware  registers 
4K  words  of  high  core.  System  programs  - namely,  the  Executive 
(including  its  work  space),  and  the  Listener  - occupy  5.625K  words 
of  core.  The  Editor  and  Exerciser^ if  present,  require  an  additional 
13. 5K  words  of  storage  space.  This  leaves  about  40K  words  of  core 
(exclusive  of  the  Editor  and  Exerciser) . This  space  is  allocated 
consecutively  in  blocks  of  IK  bytes;  that  is,  each  segment,  as  it 
is  swapped  into  main  memory,  is  assigned  the  lowest  free  block  of 
storage.  No  timing  requirements  are  imposed.  The  only  equipment 
constraint  affecting  storage  allocation  is  that  only  8K  bytes  may 
be  addressed  at  a time;  hence  the  Security  Kernel  and  Editor  code  is 
stored  in  smaller  segments. 

3.3.1  Data  Base  Characteristics 


The  Security  Kernel  global  data  base  structures,  generally 
speaking,  fall  into  two  categories:  need-to-know  and  resource 
management. 

Included  in  the  need-to-know  category  are: 

a.  Directories,  which  have  a fixed  part  (DIR_)  and  a 
variable  part  (ACL_)  , are  access  matrices  which  describe 
access  permissions. 

b.  The  Active  Segment  Table  (AST_)  is  the  record  of  current 
access.  Functions  read  the  directories  to  fill  in  some 
of  the  information  contained  in  the  AST. 

c.  The  Process  Table  (PT_)  and  Process  Segment  (PS_) 
contain  control  information  about  a process.  The  PT 
contains  information  on  all  segments  whereas  the  PS 
contains  information  on  a specific  segment.  The  PT 
contains  some  information  which  appears  in  the  PS. 
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Figure  4,  MEMORY  MAP  (ALL  ADDRESSES  HEXADECIMAL) 


Included  in  the  resource  management  category  are: 

a.  The  Memory  Block  Table  (MBT_)  which  indicates  the  state 
of  main  memory.  Entries  in  the  MBT  are  Active  Segment 
Table  Entry  numbers  (ASTE//) . 

b.  The  Bit  Map  Table  (MBT_)  deals  with  disk  allocation. 

c.  The  Hash  Table  has  but  one  entry  (HASH_TABLE)  which 
points  to  the  beginning  of  a chain  of  ASTEs. 

d.  The  Interprocess  Communication  Element  Pool  (IPC_) 
contains  elements  which  are  controlled  by  a quota 
mechanism.  The  head  of  the  IPC  queue  is  located  in  the 
PT. 

e.  Semaphore  entries  are  arrays  of  0 to  257.  There  is  one 
semaphore,  which  is  indexed  by  ASTE#,  for  each  segment. 
The  head  of  the  chain  of  blocked  processes  on  a 
semaphore  is  located  in  the  PT. 

f.  Parameters  is  a table  of  user  input  parameters. 

g.  Segmentation  Address  Registers  (SAR)  and  Segmentation 
Descriptor  Registers  (SDR)  are  register  pairs  containing 
information  fully  describing  a segment.  SARs  reference 
the  MBT  for  their  information  and  the  SDRs  reference 

the  AST  entry  SIZE. 

The  Data  Base  Reference  Matrix  presented  as  Figure  5 shows  the 
global  data  base  and  the  functions  that  reference  each  individual 
structure.  Reading  across  shows  which  data  structures  are  referenced 
by  that  specific  function.  Reading  down  shows  which  functions 
reference  that  specific  data  structure. 

The  following  subparagraphs  contain  detailed  definitions  of  the 
contents  of  the  Security  Kernel  data  structures.  The  address  spaces 
referred  to  in  each  subparagraph  are  the  virtual  addresses  of  the 
specified  segmentation  register.  CONTEXT  KERNEL,  in  Section  10,  con- 
tains a complete  definition  of  the  Security  Kernel  virtual  address 
space.  (Refer  to  Section  3 paragraph  4 for  a description  of  the 
dynamic  address  translation  performed  by  the  MMU.) 
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FUNCTION 


DATA  BASE 


DIRECTORIES 

ACL 

AST 

PT 

IPS 

MBT 

BMT 

HASH  TABLE 

I PC  ELT  POOL 

SEMAPHORES 

PARAMETERS 

SDR  a SAR 

GATE 

PCHECK 

CREATE 

DELETE 

GIVE 

RESCIND 

OUTERP 

OUTERV 

STARTP 

STOPP 

CHANGEO 

INITH 

READIR 

IPCRCV 

IPCSEND 

GETW 

GETR 

ENABLE 

WRITEDIR 

DALLOC 

GETDIR 

DELETSEG 

SOADD 

DFREE 

CONNECT 

DCONNECT 

HASH 

DSEARCH 

ACT 

DEACT 

DISABLE 

PREHASH 

SWAPIN 

SWA  POUT 

INITSEG 

DISKIO 

P 

V 

SLEEP 

RUN 

LSD 

SWAP 
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Figure  5 DATA  BASE  REFERENCE  MATRIX 
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3. 3. 1. 1 Directories 


Functions  that  reference  the  directories  either  read  or  write 
the  directory  entries.  In  order  to  do  anything  with  a segment,  e.g., 
create  it,  delete  it,  give  access  to  it,  the  directory  that  catalogues 
the  segment  must  be  referenced.  A directory  is  a segment  of  entries 
that  contain  the  attributes  of  some  other  segment.  Directories  have 
a fixed  part  and  a variable  part.  The  fixed  part  is  filled  in  at 
the  time  the  segment  is  CREATEd.  The  field  names  for  this  part  of 
the  directories  begin  with  "DIR_".  The  variable  part  is  known  as 
the  Access  Control  List.  Its  field  names  begin  with  "ACL__**.  The  ACL 
is  an  open-ended  list  of  names  of  users  permitted  to  access  the  seg- 
ment and  implement  the  need-to-know  protection.  Directories  are 
located  in  KSR3  address  space  (refer  to  Section  10,  page  15). 

Format  of  a Directory  Entry 

(fixed  part) 

A directory  entry  is  accessed  by  (aste//,  offset):  DIR_JQCX(astey/ , offset) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

DIR_TYPE 

1 

DIRECTORY  or  DATA 

DIR_STATUS 

1 

UNINITIALIZED  OR 

INITIALIZED 

DIR_CLASS 

4 

security  classification 

DIR_CAT 

16 

security  category  set 

DIR_SIZE 

8 

segment  size  in  blocks 

DIR_DISK 

16 

disk  address  of  the  segment 

DIR_ACL_HEAD 

8 

head  of  the  ACL  chain  (or  0 
the  list  is  empty) 

DIR__TYPE  specifies  the  type  attribute  of  the  segment.  Its  value 
is  either  DIRECTORY  (a  1-bit)  or  DATA  (a  0-bit)  . 

DIR_STATUS  indicates  whether  or  not  a segment  has  been  initia- 
lized. Its  value  is  either  UNINITIALIZED  (a  1-bit)  or  INITIALIZED 
(a  0-bit) . 
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DIR__CLASS  is  the  classification  part  of  the  security  attribute. 
It  has  values  of  1 through  4;  1 equals  unclassified,  2 equals 
confidential,  3 equals  secret,  and  4 equals  top  secret. 

DIR_CAT  is  the  category  set  which  is  the  rest  of  the  security 
attribute.  It  has  possible  values  of  0 through  32767. 

DIR_SIZE  is  the  size  of  the  segment  in  a multiple  of  256  bytes. 
If  the  value  of  DIR__SIZE  is  zero,  the  directory  entry  is  not  being 
used  and  the  value  of  all  other  fields  are  undefined. 

DIR__ACL_HEAD  is  the  head  of  a chain  of  ACL  elements.  If  there 
are  no  ACL  elements  then  DIR  ACL  HEAD  is  zero. 


Formal  of  an  Access  Control  List  (ACL)  Element 

(variable  part) 

An  ACL  element  is  accessed  by  (aste#,  acle#)  : ACL__XXX  (aste#,  acle#) 


FIELD 

NO.  of  BITS 

DEFINITION 

ACL_USER 

14 

user-id  or  ALL_USERS 

ACL_PROJECT 

8 

project  id  or  ALL__PROJECTS 

ACL_MODE 

2 

mode  of  access  - WRITE,  READ, 
or  NO  access 

ACL_CHAIN 

8 

acle#  of  next  ACL  in  the  chain 
or  0 

Whenever  a user  is  on  the  system  the  state  information  of  his 
process  includes  a two  part  name  identifier  - user__id  and  project__id. 

An  ACL  element  includes  this  two  part  name  but  either  part  may  be 
replaced  by  a flag  indicating  "don’t  care".  This  special  flag  is 
represented  by  ALL_JJSERS  or  ALL__PROJECTS . 

Each  ACL  element,  in  addition  to  a name,  has  a permitted  mode 
of  access  - no  access,  read  access,  or  write  access.  The  access  mode 
is  associated  with  the  ACL  element  rather  than  the  segment  itself 
to  allow  different  users  to  have  different  access  rights  to  the  segment. 
ACL  elements  are  ordered  from  most  significant  to  least  significant. 
Elements  with  a specific  user_id  and  project- id  come  first,  an  ALL_ 
PROJECTS  element  will  always  be  last,  and  elements  with  a specific 
user  and  ALL__PROJECTS  will  come  before  an  ALL_USERS,  specific  element. 
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A directory  segment  has  63  useable  entries  (numbered  1 to  63) 
plus  an  unuseable  entry  (entry  0)  and  127  ACL  elements  that  are  shared 
among  all  entries.  The  sharing  mechanism  employs  a chain  of  free 
ACL  elements  - the  head  of  this  free  chain  is  ACL  CHAIN (0) . A direc- 
tory is  initialized  by  marking  all  its  entries  as  free  and  placing  all 
the  ACL  elements  on  the  free  chain. 

All  segment  attributes  except  for  DIR_STATUS  and  DIR_DISK  are 
specified  by  users  with  write  access  to  the  directory  and  therefore 
have  the  security  level  of  the  parent  directory,  but  the  values 
of  DIR__STATUS  and  DIR__DISK  are  a function  of  system  wide  activity. 

Directories  are  considered  to  be  "composite"  objects.  Most  of 
the  data  in  a directory  will  be  at  the  security  level  of  the  directory 
but  some  will  be  at  a higher  level.  The  format  of  the  directory 
is  defined  within  the  security  perimeter  so  there  is  no  problem  in 
determining  the  security  level  of  a particular  data  item.  Since 
the  segment  is  the  smallest  object  to  which  access  is  controlled  by 
the  MMU,  uncertified  software  cannot  be  permitted  direct  read 
access  to  directory  segments.  If  uncertified  software  is  to  have  read 
access  to  a directory  it  must  be  via  Security  Kernel  functions  that 
do  the  reading  interpretively  and  are  aware  of  the  nature  of  the 
directories. 

3 . 3 . 1 . 1 . 1 Functions  Using  Directories  and  Access  Control  List 

Directories  Access  Control  List 


CREATE 

DELETE 

GIVE 


GIVE 


RESCIND 

DELETSEG 

DESEARCH 

INITSEG 


RESCIND 

START? 


CHANGED 

INITH 

READIR 

GETW 

GETR 

DELETSEG 

SOADD 

CONNECT 

DE SEARCH 

ACT 
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3. 3. 1.2  Active  Segment  Table  (AST) 


The  Active  Segment  Table  is  a system-wide  table  that  facili- 
tates the  main  memory  sharing  of  segments  among  processes • Every 
segment  that  is  in  the  work  space  (WS)  of  one  or  more  processes  or 
is  wired  down  (a  permanent  location  in  core  dedicated  to  the  seg- 
ment) has  an  entry  in  the  AST.  The  segment  is  identified  by  its 
aste#  (AST  entry  //)  • An  ASTE  is  composed  of  a number  of  fields. 
The  AST  is  located  in  KSR0  address  space  (refer  to  Section  10, 
pages  11  and  12). 


Format  of  an  Active  Segment  Table  Entry 
An  AST  entry  is  accessed  by  aste#:  AST_XXX(aste#) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

AST_TYPE 

1 

DIRECTORY  or  DATA 

AST_STATUS 

1 

UNINITIALIZED  or  INITIALIZED 

AST_CLASS 

4 

security  classification 

AST_CAT 

16 

security  category  set 

AST_SIZE 

8 

segment  size  in  blocks 

ASTJDISK 

16 

disk  address  of  the  segment 

ASTJCHANGE 

1 

segment  altered  or  unaltered 
while  in  core 

AST_CPL 

16 

connected  process  list 

AST_WAL 

16 

write  access  list 

AST_AGE_CHAIN 

16 

chain  for  segments  eligible 
for  deactivation 

AST_ADR 

16 

main  memory  address  of  a seg- 
ment 

AST_DES_COUNT 

16 

number  of  descriptors  for  a 
segment 

AST_UNLOCK 

1 

UNLOCKED  - ASTJDES^COUNT:  0 

AST_SWAP_CHAIN 

16 

chain  of  segments  eligible 
to  be  swapped  out 

AST_CHAIN 

16 

used  by  HASH  functions  and 
for  ASTE  chain 
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The  head  of  chains  is  accessed  by  AST_XXX(0)  . 

AST_TYPE,  AST__STATUS,  AST__CLASS,  AST__CAT,  AST__SIZE,  and  AST_DISK 
correspond  to  the  similarly  named  fields  in  a directory  entry.  These 
fields  in  the  ASTE  are  set  by  copying  from  the  directory  entry  at  the 
time  the  segment  is  activated. 

AST__CHANGE  indicates  if  the  segment  has  been  modified  while 
enabled.  A l-'bit  means  the  segment  has  been  altered,  0-bit  means 
unaltered. 

AST_CPL  (connected  process  list)  indicates  which  processes 
have  the  active  segment  in  their  WS  (read  access  is  implied) . 

AST_WAL  (write  access  list)  indicates  which  processes  have  write 
access  to  the  segment  as  well.  AST__CPL  and  AST_WAL  are  bit  maps. 

Bit  0 indicates  whether  or  not  the  segment  is  wired-down  (0  indicates 
not  wired-down,  1 indicates  wired-down).  When  one  of  the  remaining 
bits  is  a 1,  the  corresponding  process  has  access  to  the  segment 
(AST_CPL-read  access,  AST__WAL-write  access).  When  a process 
removes  a segment  from  its  WS,  AST__CPL  may  become  zero  (no  processes 
have  the  segment  in  their  WS).  This  means  that  the  segment  can  be 
deactivated  making  the  ASTE  free. 

Segments  that  can  be  deactivated  (as  indicated  by  a zero  AST__CPL) 
are  kept  on  a chain  running  through  AST_AGE_CHAIN.  Since  ASTE_WAL 
is  not  meaningful  then  AST_CPL  is  zeroj  ASTE_WAL  and  AST__AGE__CHAIN 
can  physically  overlay  each  other. 

AST_ADR  is  the  main  memory  address  of  a segment  if  it  is  swapped 
in;  AST_ADR  will  be  zero  if  it  is  swapped  out.  Since  the  beginning 
main  memory  address  of  a segment  will  always  be  on  a 256  byte  boundary, 
AST_ADR  need  not  include  the  low  order  (all  zero)  8 bits  of  the  address. 

AST_DES_COUNT  (descriptor  count)  indicates  the  number  of 
descriptors  that  exist  for  a segment. 

Active  segments  that  are  eligible  to  be  swapped  out  are  kept  on 
a chain  running  through  the  AST_SWAP_CHAIN  field.  When  a process 
removes  a segment  from  its  AS,  AST_pES_COUNT  may  go  to  zero.  This 
means  the  segment  has  become  unlocked  and  can  be  removed  from  main 
memory . 

AST_UNLOCK  indicates  whether  or  not  a segment  is  on  the 
AST_SWAP_CHAIN  (1-bit  indicates  UNLOCK,  0-bit  indicates  LOCK).  This 
one  bit  field  allows  the  AST_DES_COUNT  and  AST__SWAP_CHAIN  fields  to 
be  overlayed. 
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AST_CHAIN  is  used  to  chain  together  ASTE's  that  are  free.  The 
function  HASH  also  uses  the  AST_CHAIN  field  to  resolve  hashing 
collisions. 

3. 3. 1.2.1  Functions  Using  the  Active  Segment  Table 


CREATE 

SOADD 

OUTERP 

CONNECT 

OUTERV 

DCONNECT 

STARTP 

HASH 

STOPP 

DSEARCH 

CHANGEO 

ACT 

INITH 

DEACT 

READIR 

DISABLE 

ENABLE 

SWAPIN 

WRITEDIR 

SWAPOUT 

GETDIR 

INITSEG 

DELETSEG 

RUN 

LSD 

-.3  Process  Table 

(PT) 

The  Process  Table  has  an  entry  for  each  process,  and  each  entry 
consists  of  several  fields.  The  PT  has  an  area  to  hold  the  basic 
state  of  all  processes  when  they  are  not  allocated  to  the  processor. 
The  Process  Table  is  located  in  KSR0  address  space  (refer  to  Section 
10,  page  14). 


Format  of  the  Process  Table 


The  Process  Table  is  accessed  by  process#:  PT_XXX (process#) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

PT_KSDR1 

16 

kernel  segmentation 
register  1 

descriptor 

PT_KDAR1 

16 

kernel  segmentation 
register  1 

address 

PT_DSDR2 

16 

kernel  segmentation 
register  2 

descriptor 

PT_KSAR2 

16 

kernel  segmentation 
register  2 

address 

PT_KSDR3 

16 

kernel  segmentation 
register  3 

descriptor 
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PT_KSAR3 

16 

kernel  segmentation  address 
register  3 

PT_R4 

16 

general  register  4 

PT_R5 

16 

general  register  5 

PT_R6 

16 

general  register  6 

PT_CUR_CLASS 

4 

security  classifications 

PT_CUR_CAT 

16 

security  categories 

PT_KS_ASTE# 

16 

aste#  of  the  kernel  stack 

PT_PS_ASTE# 

16 

aste#  of  the  process ’s  process 
segment 

PT_FLAGS 

2 

READY,  BLOCKED  or  INACTIVE 

PT_LINK 

6 

chain  of  processes  blocked  on 
a semaphore 

PT_IPC_QUEUE_HEAD 

8 

head  of  the  IPC  queue 

PT_IPC_QUOTA 

8 

unused  ipc  element  quota 

The  first  nine  entries  in  the  PT  are  only  used  when  a process 
becomes  blocked.  They  are  written  when  the  process  is  blocked  and 
read  when  the  process  becomes  unblocked.  The  next  four  entries  are 
fixed  fields  while  the  last  four  entries  are  variable.  These  fixed 
and  variable  fields  of  the  PT  are  the  current  attributes  of  a pro- 
cess . 


PT_KSDR1  and  PT__DSAR1  hold  the  location  of  the  process ’s  process 
segment. 

PT__KSDR2  and  PT__KSAR2  hold  the  location  of  the  process ’s  kernel 
stack. 

PT__KSDR3  and  PT__KSAR3  hold  the  location  of  the  process ’s  current 
directory  segment. 

PT_R4,  PT_R5,  and  PT__R6  are  general  registers  whose  contents 
are  important  to  the  SUE  language.  They  act  as  accumulators,  stack 
pointers  and  temporaries.  Register  6 has  the  special  function  of 
the  processor  stack  pointer. 

PT_CUR_CLASS  is  the  security  classification  of  the  process. 

PT__CUR_CAT  is  the  security  category  set  of  the  process. 
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PT__KS__ASTE//  keeps  the  aste#  of  the  process  *s  kernel  stack. 

PT__PS__ASTE#  keeps  the  aste#  of  the  process  b segment  which  con- 
tains more  information  about  the  process. 

PT__FLAGS  indicates  the  execution  state  of  a process.  Its  value 
is  READY,  BLOCKED  or  INACTIVE. 

PT__LINK  is  used  to  chain  together  processes  that  are  blocked  on 
the  same  semaphore. 

PT__IPC__QUOTA_HEAD  is  the  beginning  of  a chain  of  interprocess 
communication  messages  sent  to  the  process.  Its  value  indicates  one 
of  three  possible  states:  (1)  there  are  messages  that  have  been 
sent  and  not  yet  read  by  the  process;  (2)  there  are  no  messages  that 
have  been  sent  to  the  process  and  not  yet  read  by  the  process;  and 
(3)  the  process  has  been  blocked  because  it  wants  to  read  another 
message  and  none  is  available- 

PT__IPC__QUOTA  is  a number  of  interprocess  communication  objects 
currently  available  to  the  user  for  receiving  messages  from  other 
processes . 


3. 3. 1.3.1  Functions  Using  the  Process  Table 


STARTP 

P 

STOPP 

V 

IPCRCV 

SLEEP 

IPCSEND 

RUN 

SOADD 

SWAP 

.4  Process 

Segment  (PS) 

There  is  a Process  Segment  (main  memory  segment)  for  each 
process.  The  PS  is  created  at  initialization  time  and  along  with 
the  appropriate  PT  entry,  holds  information  on  the  state  of  the  pro- 
cess. The  Process  Segment  is  located  in  KSRl  address  space  (refer 
to  Section  10,  pages  14  and  15). 

Format  of  a Process  Segment 

Process  Segments  are  accessed  by  process#:  PS__XXX(process#) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

PS_CURRENT 

PROCESS 

8 

process# 

PS_PR0CESS_ 

_MASK 

16 

bit  mask 

188 


PS  PROCESS  NOTMASK 


PS_USER_ID 

PS_PROJECT_ID 

PS_CUR_CLASS 

PS_CUR_CAT 

PS_MEM_QUOTA 

PS  SDR 


PS  SAR 


PS  SEG 


16 

14 

8 

4 

16 

8 

16  X 16  array 


16  X 16  array 


15  X 32  array 


bit  mask 

user  identification 

project  identification 

security  classification 

security  category 

unused  main  memory  quota 

save  area  for  user  and  super- 
visor domain  segmentation 
registers 

save  area  for  user  and  super- 
visor domain  segmentation 
registers 

definition  of  process ’s  address 
space 


PS_CURRENT_PROCESS  is  the  number  of  the  process  associated  with 
the  PS. 

PS_PROCESS_MASK  and  PS_PROCESS_NOTMASK  are  used  in  accessing 
the  ACL_CPL  and  ACL_WAL.  They  are  the  process#  expressed  by  a 
16-bit  field;  the  value  of  PS_PROCESS_MASK  is  expressed  as 
2l5“P^oc^ss# ^ whereas  the  value  of  PS_PROCESS_NOTMASK  is  the  complement 
of  PS_PROCESS_MASK.  MASK  is  all  zero  except  for  the  bit  indicating 
the  process#.  NOTMASK  is  all  ones  except  for  the  bit  indicating 
the  process#. 

PS_USER_ID  and  PS_PROJECT__ID  identify  the  user  associated  with 
the  process. 

PS_CUR_CLASS  and  PS_CUR_CAT  define  the  classification  and 
category  which  is  the  current  security  level  of  the  process. 

PS_MEM_QUOTA  is  the  amount  of  main  memory  allocated  to  the 
process  for  its  AS  but  not  currently  in  use. 

PS_SDR  and  PS__SAR  are  two  arrays  that  form  the  save  area  for 
the  8 supervisor  (0-7)  and  8 user  (7-15)  segmentation  registers. 

PS_SEG  is  used  for  mapping  segment  numbers  (seg#*s)  into 
aste#'s.  Every  segment  in  a users  WS  has  an  aste#,  but  the  aste# 
cannot  be  available  to  the  user  because  it  is  a function  of 
system  wide  activity.  Therefore,  when  a process  has  the  kernel  move 
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3,  S6gm6nt  into  its  WS  y tho  IcBtnol  irotuirns  3 S6g//  which  the  piroccss 
subsequently  uses  to  identify  the  segment. 

3. 3. 1.4.1  Function  Using  the  Process  Segment 


PCHECK 

GETW 

OUTERP 

GETR 

OUTERV 

ENABLE 

STARTP 

WRITEDIR 

STOPP 

SOADD 

CHANGED 

CONNECT 

INITH 

DCONNECT 

IPCRCV 

DSEARCH 

IPCSEND 

DISABLE 

SWAP 

.5  Memory 

Block  Table  (MBT) 

The  Memory  Block  Table  is  a structure  used  to  indicate  the  state 
of  main  memory.  Contiguous  blocks  (256  bytes  per  block)  can  be 
concatenated  to  form  main  memory  segments  of  any  multiple  block 
size.  There  is  an  entry  in  the  MBT  for  each  block  with  segments 
represented  by  several  concatenated  entries.  The  Memory  Block  Table 
is  located  in  KSR0  address  space  (refer  to  Section  10,  page  11). 


Format  of  the  Memory  Block  Table 


The  MBT  is  accessed  by  block#:  MBT_XXX(block#) 


FIELD 


NO.  of  BITS  DESCRIPTION 


MBT_FLAGS  2 

MBT_SIZE  8 
MBT_CHAIN  14 
MBT_ASTE#  8 


FREE,  ALLOCATED,  or 
CONCATENATED 

size  of  the  area  in  blocks 

chain  of  free  blocks 

aste#  of  the  virtual  memory 
segment  in  the  block 


If  a block  is  the  first  in  a segment,  MBT_FLAGS  for  that  block 
is  either  FREE  or  ALLOCATED;  otherwise  it  is  CONCATENATED.  The 
remaining  fields  are  not  meaningful  for  CONCATENATED  blocks. 


MBT_SIZE  is  the  number  of  blocks  in  a segment. 
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If  a block  is  FREE,  MBT^CHAIN  is  the  block#  of  the  next  segment 
in  the  free  chain  or  the  initial  address  of  high  core  if  this  is  the 
end  of  the  chain.  (A  block#  is  the  address  of  the  first  byte  in 
a block  with  the  8 low  order  0 bits  removed.) 

If  the  block  is  ALLOCATED,  MBT_ASTE  is  the  aste#  of  the  segment 
bound  to  it. 

3. 3. 1.5.1  Functions  Using  the  Memory  Block  Table 


DISABLE 
SWAP IN 
SWAPOUT 
RUN 


3. 3.1. 6 Bit  Maps  Table  (BMT) 

Bit  maps  are  used  exclusively  by  the  disk  allocation  functions. 
There  is  an  allocated  area  on  the  disk  for  each  of  the  three  segment 
sizes  (the  initial  implementation  of  the  Security  Kernel  uses  only 
size  2) , a bit  map  for  each  area,  and  a Bit  Map  Table  for  each  bit 
map.  The  Bit  Map  Table  is  a table  of  tables  and  is  located  in  KSR0 
address  space  (refer  to  Section  10,  page  13). 

Format  of  the  Bit  Map  Table 


The  SUE  language  functions  pass  the  virtual  address  of  the  Bit 
Map  Table  associated  with  the  size  to  the  PAL-11  routines  which  will 
access  the  corresponding  bit  map. 


FIELD  NO.  of  BITS 


BMT_SIZE1 

64 

BMT_SIZE2 

64 

BMT_SIZE3 

64 

BIT_MAP2 

512 

BIT_MAP1 

32 

BIT  MAP3 

32 

DESCRIPTION 

segment  SIZEl  bit  map  table 
segment  SIZE2  bit  map  table 
segment  SIZE3  bit  map  table 
one  bit  per  IK  byte  segment 
reserved  for  future  use 
reserved  for  future  use 


BMT_SIZEn  is  the  segment  size  n Bit  Map  Table.  The  Bit  Map 
Table  contains  the  start  address  (first  16  bits)  and  end  address 
(next  16  bits)  of  the  bit  map,  the  base  address  of  the  disk  area 
(next  16  bits)  and  a shift  register  (last  16  bits) . 
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BIT_MAP2,  in  the  initial  implementation,  is  a map  of  512  bits- 
The  entire  disk  is  allocated  to  segment  SIZE2,  that  is,  512  IK  byte 
segments.  Each  bit  in  the  bit  map  corresponds  to  a segment  on  the 
disk.  When  a segment  is  allocated  space  on  the  disk,  the  correspond- 
ing bit  in  the  bit  map  is  set.  When  the  space  is  freed  the  bit  is 
cleared. 

In  future  implementations  the  disk  will  be  separated  into  three 
areas,  one  area  for  each  of  the  three  different  sized  segments. 

3. 3. 1.6.1  Functions  Using  the  Bit  Map  Table 


DALLOC 

DFREE 

3. 3. 1.7  Hash  Table 


The  Hash  Table  has  only  one  field  which  is  the  disk  address  of 
a specific  process.  The  Hash  Table  is  located  in  KSR0  address  space 
(refer  to  Section  10,  page  ll) . 

Format  of  Hash  Table 


A Hash  Table  entry  is  accessed  by  hash  value:  HASH_TABLE(HASH_yALUE) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

HASH_TABLE 

16 

pointer  into  the  AST_CHAIN 

HASHJTABLE  could  be  thought  of  as  AST_CHAIN_HEAD  as  it  is 
actually  the  first  non-free  element  in  the  AST_CHAIN. 

3. 3. 1.7.1  Functions  Using  the  Hash  Table 


HASH 

ACT 

DEACT 

3. 3. 1.8  Interprocess  Communication  (IPC)  Element  Pool 

The  IPC  Element  Pool  chains  messages  waiting  to  be  received. 

The  pool  is  a shared  resource  of  127  elements  controlled  by  a quota 
mechanism  (each  receiving  process  is  restricted  to  8 message  ele- 
ments) . The  IPC  Element  Pool  is  located  in  KSR0  address  space  (refer 
to  Section  10,  page  11). 


192 


Format  of  an  IPC  Element  Pool 


An  IPC  Element  is  accessed  by  index:  IPC_XXX (INDEX) 


FIELD 

NO.  of  BITS 

DESCRIPTION 

IPC__LINK 

8 

chained  IPC  entry  # 

IPC_PROCESS# 

8 

sending  process  # and  domain 
indicator 

IPC_DATA 

16 

message 

IPC_LINK  is  the  chained  IPC  entry  //,  that  is,  the  number  of  the 
next  oldest  element  in  the  receiving  process ’s  chain  of  waiting  ele- 
ments . 

IPC__PROCESS//  contains  the  number  of  the  sending  process  and  a 
1-bit  domain  indicator. 

IPC_DATA  contains  the  message  being  sent. 

3. 3. 1.8.1  Functions  Using  the  IPC  Element  Pool 

STOPP 

IPCRCV 

IPCSEND 

3. 3. 1.9  Semaphores 

Semaphore  entries  are  arrays  of  0 to  257.  The  first  255  sema- 
phores are  associated  with  active  segment,  that  is,  SMFR#  = ASTE#. 
The  kernel  semaphore  equals  256  and  the  disk  semaphore  equals  257. 
Semaphores  are  located  in  KSR0  address  space  (refer  to  Section  10, 
page  13). 


Format  of  Semaphores 

A semaphore  entry  is  accessed  by  aste#:  SMFR_XXX(as te#) 


FIELD 

NO.  of  BITS 

DEFINITION 

SMFR_COUNT 

16 

P decrements  the 
V increments  the 

count 

count 

SMFR_POINTER 

16 

points  to  chains 
processes 

of  blocked 
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SMFR__COUNT  is  decremented  when  a P is  performed;  when  a V is 
performed  it  is  incremented.  The  boundries  of  SMFR_COUNT  are  --128 
to  127. 

SMFR_POINTER  is  an  entry  number  into  the  PT_LINK  which  is  the 
head  of  the  chain  of  blocked  processes  (1  chain  for  each  SMFR  #) . 

3. 3. 1.9.1  Functions  Using  Semaphores 


OUTER? 

OUTERV 

D CONNECT 

ACT 

P 

V 


3.3.1. 10  Parameters 


Parameters  are  a special  case  as  they  are  actually  part  of  the 
supervisor’s  data  base.  The  kernel  does,  however,  access  this 
information  when  needed. 

User  input  parameters  are  passed  to  the  Security  Kernel  by 
placing  them  in  fixed  locations  on  the  supervisor’s  stack.  The 
Security  Kernel  accesses  the  supervisor’s  stack  through  kernel  seg- 
mentation register  3.  Only  those  parameters  required  by  the 
requested  function  are  entered  by  the  user  and  accessed  by  the 
Security  Kernel.  Parameters  are  located  in  KSR3  address  space 
(refer  to  Section  10,  page  15). 

Format  of  Parameter  Entries 


FIELD  NO.  of  BITS 


FUNCT I0N_C0DE_AP AEM 

16 

SEG#_APARM 

16 

OFFSET_APARM 

16 

CLASS_APARM 

16 

CAT_APARM 

16 

SEG_TYPE_APARM 

16 

SIZE_APARM 

16 

MODE_APARM 

16 

USER  APARM 

16 

DESCRIPTION 

identifies  a requested  function 

identifies  as  active  segment 

identifies  a directory  entry 

classification 

category  set 

DATA  or  DIRECTORY 

size  of  a segment  in  blocks 

WRITE,  READ  or  NO  access 

user  id 
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PROJECT_APARM 

16 

project_id 

REC#_APARM 

16 

identifies  a segmentation 
register 

PROCESS#_APARM 

16 

identifies  a process 

MESSACE_APARM 

16 

IPC  message 

KRC 

16 

return  code 

KRC  2 

16 

return  code  2 

FUNCTION_CODE_APARM  is  a niimerical  tag  from  1 to  20  which 
identifies  a function. 

SEG#_APARM  is  the  segment  number  of  a segment  in  a process’s 
address  space  (WS) . 

OFFSET_APARM  is  the  identification  of  an  entry  within  a directory. 

CLASS_APARM  is  the  classification  part  of  the  security  attribute. 

CAT_APARM  is  the  category  set  which  is  the  rest  of  the  security 
attribute. 

SEGjrYPE_APARM  identifies  the  segment  as  either  DATA  or  DIRECTORY. 

SIZE_APARM  is  the  size  of  the  segment  in  256  byte  blocks. 

MODE_APARM  is  the  mode  of  access  which  is  either  WRITE,  READ, 
or  NO  access. 

USER_APARM  and  PROJECT_APARM  are  the  user  and  project  identifi- 
cation. 

REG#_APARM  is  the  identification  of  a segmentation  register. 

PROCESS#_APARM  is  a numerical  Identification  of  a process.  For 
the  IPCRCV  function  this  field  identifies  the  process#  plus  domain. 

MESSAGE_APARM  is  an  interprocess  communication  message. 

KRC  is  a per  process  return  code. 

KRC2  is  used  by  the  IPCRCV  function  exclusively  and  is  assigned 
the  value  of  the  IPC  message. 
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3.3.1.10.1  Functions  Using  Parameters 


PCHECK 

READIR 

3.3.1.11  Segmentation  Registers 

The  kernel  functions  that  access  information  contained  in  the 
segmentation  registers  are: 

GATE 

READIR 

ENABLE 

DISABLE 

RUN 

LSD 

SWAP 


3.3.1.11.1  Segment  Address  Registers  (SAR) 

The  Segment  Address  Register  is  a base  address  register.  It 
contains  the  base  address  of  the  segment  in  the  form  of  a 12-bit 
Segment  Address  Field  (SAF) . Bits  15-12  of  the  SAR  are  not  imple- 
mented. The  SAF  is  interpreted  in  address  calculations  as  a multi- 
plier of  32,  i.e.,  the  lowest  6 bits  are  assumed  to  be  0.  The  bit 
stored  in  bit  0 of  the  SAF  becomes  bit  6 of  the  segment  base  address, 
bit  1 of  the  SAF,  bit  7 of  the  segment  base  address,  etc.  Thus,  bit 
11  of  the  SAF  becomes  bit  17  of  the  segment  base  addressed. 


SEOIENT  ADDRESS  FIELD 


SEGMENT  ADDRESS  REGISTER  FORMAT 

3.3.1.11.2  Segment  Descriptor  Registers  (SDR) 

The  Segment  Descriptor  Register  (SDR)  contains  segment  length, 
access  control,  and  written  into  fields. 
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15  14  87654320 


SEGMENT  LENGTH  FIELD 

A 

w' 

E 

ACF 



SEGMENT  DESCRIPTOR  REGISTER  FORMAT 
3.3.1.11.2.1  Access  Control  Field  (ACF) 

The  ACF  is  a 3-bit  field  (occupying  bits  2-0  of  the  SDR)  which 
describes  the  access  rights  to  this  specific  segment.  The  access 
codes  specify  the  manner  in  which  a segment  may  be  accessed  and 
whether  or  not  a given  access  should  result  in  a trap  or  an  abort  of 
the  current  process.  A memory  reference  that  causes  an  abort  is 
terminated  immediately.  That  is,  an  aborted  "read"  reference  does 
not  obtain  any  data  from  the  location  and  an  aborted  "write" 
reference  does  not  change  the  data  in  the  location.  A reference  that 
causes  a trap  is  completed. 


Access  Control  Field  Keys 


AFC 

KEY 

DESCRIPTION 

FUNCTION 

000 

0 

non-resident 

abort  all  process 

001 

1 

read-only  and  trap 

trap  on  read  abort  any  attempt 
to  write  on  this  segment 

010 

2 

resident  read  only 

abort  any  attempt  to  write  on 
this  segment 

oil 

3 

illegal 

reserved  for  future  use 

100 

4 

resident  read/write 
and  trap 

memory  management  trap  upon 
completion  of  a read  or  write 

101 

5 

resident  read/write 
and  trap  when  write 

memory  management  trap  upon 
completion  of  write 

no 

6 

resident  read/write 

read  or  write  allowed  - no 
trap  or  abort 

111 

7 

illegal 

reserved  for  future  use 
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3.3.1.11.2.2  Written  Into  (W) 


The  W bit  (occupying  bit  6)  indicates  whether  the  segment  has 
been  written  into  since  it  was  swapped  into  main  memory.  A W bit  of 
1 is  affirmative  indicating  that  the  user  has  modified  the  segment 
and  that  it  must  be  saved  in  its  current  form.  A W bit  of  0 indicates 
that  the  segment  has  not  been  modified  and  that  it  need  not  be 
written  onto  disk  to  be  saved.  The  W bit  is  automatically  cleared 
when  either  the  SDR  or  SAR  of  a segment  is  written  into. 

3.3.1.11.2.3  Segment  Length  Field  (SLF) 

The  7"bit  SLF  (occupying  bits  14-8)  specifies  the  authorized 
length  of  the  segment  in  32-word  blocks.  A segment  consists  of  at 
least  one  and  at  most  128  blocks,  and  occupies  contiguous  core  location. 

3.3.1.11.2.4  Attention  (A)  and  Expansion  Direction  (ED) 

The  A bit  (bit  7)  and  ED  bit  (bit  3)  are  not  currently  referenced 
by  the  Security  Kernel. 

3.3.2  Constants  and  Macros 

The  following  two  tables  list  all  constant  and  macros  used  by  the 
Security  Kernel.  Table  I lists  the  constants  contained  in  CONTEXT 
NOFORN  and  CONTEXT  KERNEL.  A description  of  each  constant  and  its 
value  is  included.  Table  II  lists  the  macros  contained  in  CONTEXT 
NOFORN,  CONTEXT  KERNEL  and  DATA  GATE.  The  effect  of  each  macro  and 
its  parameters  is  included.  The  listings  of  CONTEXT  NOFORM,  CONTEXT 
KERNEL  and  DATA  GATE  can  be  found  in  Section  10,  pages  2 through  19 . 


Table  I 


List  of  Constants 


Values  of  the  following  are  in  hexidecimal  unless  otherwise  indicated. 


CONSTANT 


VALUE 


COMMENTS 


MEM  SIZE 


128K  bytes  = 512  256-byte 


blocks 


MBT_FLAGS__MASK* 
MBT  CHAIN  MASK 


COOO 

3FFF 


memory  block  table 
FLAGS,  CHAIN,  and  ASTE  all 


share  a word 


MASK  is  used  as  an  "anding"  operation  for  selecting  a bit  from  a 
bit  table 
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Table  I (Continued) 


END  BLOCK# 

3E0 

ALLOCATED 

0 

setting  of  memory 

CONCATENATED 

4000 

block  table  flag 

FREE  MEM 

8000 

field 

RESERVED_MEM 

COOO 

ASTE#  MIN 

llO 

range  of  active 

ASTE#_MAX 

25510 

segment  table  entries 

AST  TYPE_MASK 

80 

active  segment  table  entries 

AST  STATUS  MASK 

40 

TYPE,  STATUS,  CHANGE,  UNLOCK 

AST  STATUS  NOTMASK 

BF 

and  CLASS  share  a byte 

AST  CHANGE  MASK 

20 

AST_UNLOCK_MASK 

10 

AST  LOCK  MASK 

EF 

AST_CLASS_MASK 

OF 

AST_TYPE_DIRECTORY 

AST_TYPE_MASK 

definition  of  active  seg- 
ment table  TYPE  entry 

AST  CHANGE 

AST  CHANGE  MASK 

definition  of  active  seg- 

AST_UNCHANGED_MASK 

DF 

ment  table  change  bit 

AST_UNITIALIZED 

AST_STATUS_MASK 

definition  of  active  seg- 
ment table  STATUS  entry 

AST_UNLOCK_FLAG 

AST_UNLOCK_MASK 

definition  of  active  seg- 
ment table  UNLOCK  entry 

WIRED  DOWN  MASK 

8000 

Bit  0 of  the  connected  pro- 

WIRED DOWN  NOTMASK 

7FFF 

cess  list  is  wired  down 

WIRED_DOWN 

WIRED_DOWN_MASK 

bit 

ROOT_ASTE# 

llO 

active  segment  table  entry 
ROOT  constant 

IPC_MAX 

12710 

number  of  elements  in  the 

interprocess  communications 
pool 


IPC__QUOTA  8]^q  receiving  processes  are 

restricted  to  8 message 
elements 
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Table  I (Continued) 


BMT_SIZE1_ADR 

IBOO 

definition  of  bit  map  table 

BMT  SIZE2  ADR 

1B08 

SIZE  entry  address 

BMT_SIZE3_ADR 

IB  10 

KERNEL  SMER 

256io 

definition  of  KERNEL  and 

DISK_SMFR 

25710 

DISK  semaphores 

SMFR_MAX 

DISK  SMFR 

SEG#  FLAG 

8000 

definition  of  parameter 

OFFSET_FLAG 

4000 

flags 

CLASS  FLAG 

2000 

REG_FLAG 

1000 

PROCESS#  FLAG 

0800 

MODE_FLAG 

0400 

PT  KSDRl  ADR 

lEOO 

segmentation  descriptor  and 

PT_KSDR2_ADR 

1E40 

address  registers  must  be 
separated  by 

PT_FLAGS  MASK 

CO 

process  table  entries  FLAGS 

PT_LINK_MASKS 

3F 

and  LINK  share  a byte. 

LINK  is  only  meaningful 
when  FLAGS  = BLOCKED 

BLOCKED 

00 

definition  of  flag  field 

READY 

40 

INACTIVE 

80 

IPCJWAIT 

FF 

a process  is  waiting  for  a 
message 

PS_KSR  ADR 

F4C2 

segmentation  descriptor  and 

PS_SDR_ADR 

2000 

address  registers  must  be 

separated  by  20^5 

SEG_FLAG 

8000 

changed  to  aste//  when  the 
segment  is  allocated 

SEG_MASK 

7FFE 

used  to  mask  out  SEG  FLAG 

MEM_QUOTA 

24 

processes  are  restricted  to 

EXEC_MEM_QUOTA 

7F 

9K  words  of  memory  except  the 
executive  which  is  virtually 
unrestricted 
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Table  I (Continued) 


STACK_KSR_ADR 

F4C4 

definition  of  the  stack 

segmentation  register 

DIR_KSR_ADR 

F4C6 

definition  of  the  directories 

segmentation  register 

ACL_MAX 

12710 

number  of  active  control  list 

elements  to  be  shared 

DIR  TYPE  MASK 

80 

directory  entries 

DIR  STATUS  MASK 

40 

TYPE,  STATUS,  and  CLASS 

DIR_STATUS_NOTMASK 

BF 

share  a byte 

DIR  CLASS  MASK 

OF 

DIR_CLAS  S_NOTMASK 

FO 

DIR  TYPE  DIRECTORY 

80 

definition  of  directory 

DIR_UNINITIALIZED 

40 

entries  TYPE  and  STATUS 

ACL  MODE  MASK 

COOO 

access  control  list  entries 

ACL_USER_MASK 

3FFF 

MODE  and  USER  share  a word 

REG  CONSTANT 

578 

definition  of  accessing 

P_REG#_MAX 

587 

supervisor  and  user  seg- 

CROSS_REG# 

7l0 

mentation  registers 

SDR_ADR 

F480 

supervisor  SRO  = 3F480  user 

SRO  - 3FF80 

REG  CONSTANT  = 

((3FF80  - 3F480)/2)-8=578ig 

SDR_WRITE_ACCESS 

0006 

definition  of 

SDR  READ  ACCESS 

0002 

descriptor  register 

SDR  CHANGE  MASK 

0040 

fields 

SDR  CHANGED 

SDR  CHANGE 

_MASK 

PREV  MODE  MASK 

3000 

on  kernel  entry 

PREV  MODE  SUPERV 

1000 

call  is  ignored  if  not 
made  from  supervisor  mode 
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Table  I (Continued) 


DISK_WRITE  0043  disk  commands 

DISK_READ  0045 

The  following  are  hardware  instructions.  Their  values  are  in  octal 
unless  otherwise  indicated. 


ADD 

0006 

ASL 

0063 

ASR 

0062 

BCC 

103(1)0* 

BVS 

102(1)1 

CLR 

0050 

DEC 

0053 

INC 

0052 

JMP 

00001 

MOV 

0001 

MOVB 

0011 

NEC 

0054 

SUB 

0016 

SWAB 

0003 

TRAP 

104400 

MUL 

070100 

add  instruction 

arithmetic  shift  left 

arithmetic  shift  right 

branch  on  carry  clear  instruc. 

branch  on  overflow  clear  instruc. 

clear  instruction 

decrement  instruction 

increment  instruction 

jump  instruction 

move  source  instruction  (word) 

move  source  instruction  (bytes) 

negate  instruction 

substract  source  instruction 

swap  bytes 

trap  Instruction 

multiply  instruction 

R1  = RO  * R1 


DIV 

071002 

ASHRl 

072127 

ASHR0R3 

072003 

ASHR1R3 

072103 

XORLO 

074100 

MFPIR6 

006506 

MTPIR6 

006606 

divide  instruction 
RO  = R0R1/R2 

Shift  arithmetically  (Register  1) 
shift  arithmetically 
(Register  0 , Register  3) 
shift  arithmetically 
(Register  1,  Register  3) 

Exclusive  OR 

move  from  previous 

instruction  space 

move  to  previous  instruction 

space 


SPLHIGH 

SPLLOW 


000237  set  priority  level  high 

000230  set  priority  level  low 


* 

A (1)  indicates  that  the  value  following  is  in  binary. 
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Table  I (Continued) 


The  following  values  are  in  decimal  unless  otherwise  indicated 


CREATE_FUNCTION_CODE  1 

DELETE_FUNCTION_CODE  2 

GIVE_FUNCTION_CODE  3 

RESCIND_FUNCTION_CODE  4 

GETW_FUNCTION_CODE  5 

GETR_FUNCTION_CODE  6 

RELEASE_FUNCTION_CODE  7 

ENABLE_FUNCTION_CODE  8 

DISABLE_FUNCTION_CODE  9 

P_FUNCTION_CODE  10 

V_FUNCTI0N_C0DE  11 

T_FUNCTI0N_C0DE  12 

IPCSEND_FUNCTION_CODE  13 

IPCRCy_FUNCTION_CODE  14 

STARTP_FUNCTION_CODE  15 

ST0PP_FUNCTI0N_C0DE  16 

CHANGEO_FUNCTION_CODE  17 

PR0CID_FUNCTI0N_C0DE  18 

INITH_FUNCTION_CODE  19 

READIR_FUNCTION_CODE  20 

FUNCTION_CODE_MIN  1 

FUNCTION_CODE_MAX  20 

SEG#_MIN  1 

SEG#_MAX  31 

R00T_SEG#  1 

0FFSET_MIN  1 

0FFSET_MAX  63 

PDDJOFFSET  1 

I0D_0FFSET  2 

CD_0FFSET  3 

FMS_OFFSET  4 

UNCLASSIFIED  1 

CONFIDENTIAL  2 

SECRET  3 

TOP_SECRET  4 

CLASS_MIN  1 

CLASS  MAX  4 


range  of  function  code 
range  of  segment  numbers 


range  of  offsets 

process  directory  directory 
input/output  directory 
code  directory 
file  management  system 
definition  of  class 


range  of  class 
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Table  I (Continued) 


S EG__TYPE__DIRECT0RY 
SEG_TYPE_DATA 

°°16 

SIZEl 

1 

STZE2 

4 

SIZE3 

16 

N0_ACCESS 

0 

READ$EXECUTE_ACCESS 

4000. 

WRITE  $ ElEAD  $ EXCUTE_ACCE  S S 

cooo: 

ALL_USERS 

3FFF 

ALL_PROJECTS 

SYSTEM_PR0JECT 

-u 

REG#  MIN 

0 

REG#_MAX 

15 

PROCESS  #_MIN 

1 

PROCESS#  MAX 

7 

PROCESS#  2MAX 

14 

EXEC_PR0CESS# 

1 

TTY_PROCESS# 

2 

DECW_PR0CESS# 

3 

SC0PE1_PR0CESS# 

4 

SC0PE2  PROCESS# 

5 

USER  PROCESS#  MIN 

2 

USER  PROCESS#  MAX 

5 

definition  of  segment  type 

256  bytes 
IK  bytes 
4K  bytes 

definition  of  mode 


definition  of  user  and 
project 


range  of  register  numbers 

definition  of  process 
numbers 


PROCESS  #_MASK 
DOMAIN_MASK 
KERNEL  DOMAIN 


7Fig  definition  of  IPCRCV 

802^6  PROCESS#  (PROCESS#  plus 

D0MAIN_MASK  DOMAIN) 


0F_FLAG 
ERR_FLAG 
SEVERE  FLAG 


FFFFjg  definition  of  kernel  return 

FFFE. , code 

fffd::^ 

16 


TRUE 

FALSE 

MAXIMUM_INTEGER 

MAX_NEG_INTEGER 

CV_MAX_LEN 

CARRIAGE_RETURN 
LINE  FEED 


3^967 

-32768 


72 


10 

10 


10 


2^6 

16 


character  varying  maximum 
length 
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Table  I (Concluded) 


LOW_CHARACTER 

HIGH_CHARACTER 

NEW_LINE 

END_OF_FILE 

BS_CHAR 

CANCEL  CHAR 


MACRO  NAME 
MULTIPLY 


DIVIDE 


MUDOLO 


KCREATE 


KDELETE 


80 

07 

N 


16 

16 


* 


LINE  FEED 


back  space 


Table  II 
List  of  Macros 

PARAMETERS 

OPl,  OP2,  PRODUCT,  FLAG 


DIVIDEND,  DIVISOR, 
QUOTIENT,  FLAG 

DIVIDEND,  DIVISOR, 
REMAINDER,  FLAG 

SEG#,  OFFSET,  CLASS, 
CAT,  SEG_TYPE_SIZE,  RC 

SEG#,  OFFSET,  RC 


EFFECT 

Places  the  product  of 
OPl  and  OP 2 in  PRODUCT 
and  sets  FLAG  if  result 
is  less  than  -215  or 
greater  than  or  equal  to 
215. 

Places  the  result  of 
DIVIDEND/DIVISOR  in  quo- 
tient and  sets  FLAG  if 
dividing  by  zero  is 
attempted. 

Finds  the  REMAINDER  and 
sets  FLAG  in  the  event 
of  an  overflow. 

Calls  kernel  function 
CREATE  and  sets  RC  to 
KERNEL_RC. 

Calls  kernel  function 
DELETE  and  sets  RC. 
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Table  II  (Continued) 


KGIVE 

SEG#,  OFFSET,  USER, 
USER,  PROJECT,  RC 

Calls  kernel  function 
GIVE  and  sets  RC. 

KRESCIND 

SEG#,  OFFSET,  USER, 
PROJECT,  RC 

Calls  kernel  function 
RESCIND  and  sets  RC. 

KGETW 

SEG#,  OFFSET,  RC 

Calls  kernel  function 
GETW  and  sets  RC. 

KRELEASE 

SEG# 

Calls  kernel  function 
DCONNECT 

KENABLE 

SEG#,  REG#,  RC 

Calls  kernel  function 
ENABLE  and  sets  RC. 

KDISABLE 

REG# 

Calls  kernel  function 
DISABLE  and  sets  RC. 

KP 

SEG#,  RC 

Calls  kernel  function 
OUTERP  and  sets  RC. 

KV 

SEG#,  RC 

Calls  kernel  function 
OUTERV  and  sets  RC. 

KT 

SEG#,  RC 

Enters  kernel  to  read 
semaphore  and  sets  RC. 

KIP  CS  END 

PROCESS#,  MESSAGE 

Calls  kernel  function 
IPCSEND. 

KIPCRCV 

PROCESS#,  MESSAGE 

Calls  kernel  function 
IPCRCV  to  read  MESSAGE 
and  sending  process#. 

KSTARTP 

USER_ID,  PROJECT_ID, 
CLASS,  CAT,  PROCESS#, 
PROC_OFFSET,  RC 

Calls  kernel  function 
STARTP  and  sets  RC. 

KSTOPP 

Calls  kernel  function 
STOPP. 

KCHANGEO 

SEG#,  OFFSET,  CLASS, 

CAT,  RC 

Calls  kernel  function 
CHANGEO  and  sets  RC. 
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Table  II  (Concluded) 


KPROCID  PROCESS# 


KINITH  SEG#,  OFFSET,  ASTE#,  RC 

KREADIR  SEG#,  OFFSET,  CLASS, 

CAT,  SEG_TYPE,  SIZE, 

RC 


KERNEL  ENTRY 


KERNEL  EXIT 


3. 4 Security  Kernel  Function  Call  Matrix 

The  Function  Call  Matrix  presented  in  Figure  6 lists  the 
forty-two  functions  of  the  Security  Kernel.  Reading  across  the 
matrix  shows  which  functions  are  called  by  a specific  function. 
Reading  down  shows  which  functions  a specific  function  calls.  The 
matrix  also  shows  whether  a specific  function  is  externally  or 
internally  callable,  the  number  of  functions  it  calls,  and  the 
number  of  functions  that  call  it.  Eighteen  of  the  functions  are 
externally  callable.  The  remaining  twenty-four  are  called  either 
directly  or  indirectly  by  the  externally  callable  functions.  The 
non-callable  functions  are  invisible  outside  the  kernel  domain  and 
deal  basically  with  the  management  of  the  PDP-11/45 's  physical 
resources.  The  externally  callable  functions  may  be  invoked  by  any 
process  operating  in  supervisor  domain  with  the  exception  of  STARTP, 
CHANGEO,  and  INITH  which  may  be  called  by  one  trustworthy  process, 
the  Executive  Process. 


Enters  the  kernel  to 
find  the  process's 
PROCESS#. 

Calls  kernel  function 
INITH  and  sets  RC. 

Calls  kernel  function 
READIR  to  find  the  CLASS, 
CAT,  SEG_TYPE,  and  SIZE 
attributes  of  directory 
entry  SEG#,  OFFSET. 

Pushes  user  r egis ters 
RO  to  R6  onto  kernel 
stack. 

Restores  user  registers 
RO  to  R6  from  kernel 
stack. 
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Figure  6 KERNEL  FUNCTION  CALL  MATRIX 


3.4.1  Program  Interrupts 


Program  interrupts  occur  when  a new  process  requests  the  ser- 
vice of  the  CPU.  Before  servicing  the  new  process,  however,  the 
CPU  finishes  executing  the  instruction  it  is  working  on.  The 
interrupt  is  then  handled  by  the  invocation  of  the  KERNEL_ENTRY 
macro,  which  causes  the  contents  of  the  current  process ’s  registers 
to  be  saved.  The  PC  and  PSW  of  the  interrupt  vector  now  become  the 
new  process's  PC  and  PSW.  The  function  V is  then  called  to  increment 
the  count  on  the  semaphore  associated  with  the  new  process's  I/O 
segment.  Macro  KERNEL_EXIT  is  then  invoked  which  causes  the  general 
purpose  registers,  the  PC  and  the  PSW  to  be  restored  with  what  they 
contained  before  the  interrupt. 

3.4.2  Subprogram  Referencing 

The  following  figures  depict  the  calling  flow  of  the  Security 
Kernel.  To  facilitate  readability  the  Security  Kernel  has  been 
broken  down  into  three  levels;  the  entry  point  GATE  (Figure  7),  the 
eighteen  externally  callable  functions  (Figure  8 through  21) , and 
the  internal  function  SWAPIN  (Figure  22) . 
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Figure  7.  GATE  Call  Diagram 
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CREATE 


'r 

See  Figure  22 


Figure  8.  CREATE  Call  Diagram 
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DELETE 
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Figure  9 . DELETE  Call  Diagram 


GIVE 

RESCIND 


See  Figure  22 


HASH  DS 

\ 

/ 


SWAPIN  LSD 


V 

DISABLE 


See  Figure  22 


Figure  10.  GIVE  and  RESCIND  Call  Diagram 
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See  Figure  22 


QEXW 

GETR 


Figure  11.  GETW  and  GETR  Call  Diagram 
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DCONNECT 


DISABLE 


Figure  12.  DCONNECT  Call  Diagram 


ENABLE 


SWAPIN 


LSD 


See  Figure  22 


Figure  13.  ENABLE  Call  Diagram 
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OUTERP 


RUN 


LSD  SWAP 


Figure  14.  OUTERP  Call  Diagram 


OUTERV 


V 


Figure  15.  OUTERV  Call  Diagram 
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IPCRCV 


Figure  16.  IPCRCV  Call  Diagram 


Figure  17.  STARTP  Call  Diagram 
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DCONNECT 


Y 

DISABLE 


STOPP 


IPSCEND 


SLEEP 


RUN 


A 

LSD 


Figure  18.  STOPP  Call  Diagram 


CHANGEO 


See  Figure  22 


Figure  19.  CHANGEO  Call  Diagram 


218 


INITH 


WRITEDIR 


SWAP IN  LSD 

See  Figure  22 


Figure  20.  INITH  Call  Diagram 


READIR 


See  Figure  22 


Figure  21.  READIR  Call  Diagram 
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Figure  22.  SWAPIN  Call  Diagram 
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3*4.3  Special  Control  Features 


This  paragraph  briefly  describes  three  system  programs  which 
may  be  run  in  conjunction  with  the  Security  Kernel. 

3. 4. 3.1  STARTUP 


STARTUP  sets  up  a basic  environment  in  which  to  run  the  Security 
Kernel.  It  reads  the  Kernel,  Executive,  and  Listener  code  from  magnetic 
tape  into  core.  It  then  initializes  the  root  directory,  activates  the 
Executive’s  working  space,  and  invokes  the  Executive. 

3. 4. 3. 2  EXECUTIVE 


EXECUTIVE  creates  basic  directories  (the  process  directory 
directory,  the  I/O  directory  and  the  code  directory)  subordinate 
to  the  root.  It  places  code  segments  into  the  code  directory,  I/O 
segments  into  the  I/O  directory,  and  creates  its  own  process  directory 
off  the  process  directory  directory.  It  then  establishes  a Listener 
program  for  each  connected  terminal.  Two  subprograms  of  the  Executive, 
PSTART  and  PSTOP,  are  called  to  initiate  and  terminate  Listener  and 
user  processes. 

3. 4. 3. 3  LISTENER 

LISTENER  accepts  a user’s  correct  start  command,  then  loads  the 
user,  project,  class  and  category  into  a message  segment  to  be 
read  by  the  Executive,  which  will  start  a user  process  with  the 
specified  security  characteristics.  There  is  a Listener  process 
for  each  user  station. 
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4 . QUALITY  AS  SURANCE 
4.1  Validation  Criteria 


Department  of  Defense  Regulation  DoD  5200. 1-R  (ref.,  paragraph 
2.1b  this  specification)  governs  the  Classification,  Downgrading, 
Declassification,  and  Safeguarding  of  Classified  Information  pursuant 
to  DoD  Directive  5200.1  (ref.,  paragraph  2.1a),  the  Department  of 
Defense  Information  Security  Program.  This  program  and  Regulation 
addresses  the  problem  of  protection  of  official  information  relating 
to  National  Security,  to  the  extent  and  for  such  period  as  is  nec- 
essary. The  Regulation  establishes  the  bases  for  identification  of 
information  to  be  protected;  establishes  a progressive  system  for 
classification,  downgrading  and  declassification;  prescribes  safe- 
guarding policies  and  procedures  to  be  followed;  and  establishes  a 
monitoring  system  to  insure  the  effectiveness  of  the  Information 
Security  Program  throughout  the  Department  of  Defense. 

DoD  5200. 1-R  provides  the  following  definition  of  information: 
’’knowledge  that  can  be  communicated  in  any  form”.  It  also  provides 
the  following  policy  with  respect  to  certain  official  information: 

”To  protect  against  actions  hostile  to  the  United  States,... it  is 
essential  that  such  official  information...  be  given  only  limited 
dissemination”.  To  implement  this  policy,  it  states  that  such  infor- 
mation be  designated  as  needing  protection,  i.e.,  that  it  be  classi- 
fied. To  further  aid  in  implementing  this  policy  the  regulation 
states  that  ’’the  dissemination  of  classified  information  orally,  in 
writing,  or  by  other  means,  shall  be  limited  to  those  persons  whose 
official  duties  require  knowledge  or  possession  (need-to-know)  there- 
of” and,  more  specifically,  no  person  shall  be  eligible  for  access  to 
classified  information  unless  a determination  has  been  made  as  to  his 
trustworthiness,  i.e.,  unless  he  has  been  given  the  requisite  level 
of  security  clearance. 

4.1.1  Information  Security  Model 

In  order  to  implement  a computer  system  providing  the  requisite 
security  of  official  information  from  any  possibility  of  compromise, 
it  is  necessary  that  that  system  behave  in  the  machine  domain  in 
precise  and  complete  correspondence  with  the  regulations  and  intent 
of  the  DoD  Information  Security  Program.  The  concepts  of  regulation 
DoD  5200. 1-R  (of  people,  information,  and  limiting  access  to  infor- 
mation), provide  the  basis  for  representing  the  DoD  Information 
Security  Program  in  the  form  of  an  Information  Security  Model.  This 
model  will  be  validated,  by  the  approving  authority,  to  be  a precise 
and  sufficient  algorithmic  statement  of  the  functions  corresponding 
to  the  requirements  and  definitions  of  DoD  5200. 1-R.  Upon  validation. 
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this  model  shall  be  the  controlling  criterion  against  which  the 
acceptability  of  the  Security  Kernel  Computer  Program  Product  (des- 
cribed in  Section  3 of  this  specification)  will  be  measured  for 
validation. 

4. 1.1.1  Elements  of  the  Information  Security  Model 

The  Information  Security  Model,  which  is  a precise  algorithmic 
statement  of  security  functions,  consists  of  four  elements:  sub- 
jects, objects,  an  access  control  mechanism,  and  an  authorization 
data  base.  The  model  describes  the  security  requirements  to  be 
satisfied  by  subjects  (people  or  processes)  for  accessing  objects, 
in  any  specifically  identified  mode,  under  control  of  the  Security 
Kernel.  In  the  meaning  of  this  paragraph,  objects  can  be  files, 
messages,  buffers,  terminals,  I/O  devices,  etc.  Objects  can  be 
accessed  by  subjects  only  in  accordance  with  the  compromise  preven- 
tion requirements  stipulated  by  the  access  control  mechanism  of  the 
Security  Kernel. 

4.1.2  Validation  Tests  and  Demonstrations 


A specific  program  of  demonstrations  and  tests  shall  be  per- 
formed to  verify  that  the  functionality  of  the  Security  Kernel 
Computer  Program  Product  (SKCPP)  precisely  and  completely  corresponds 
with  the  concepts  of  the  Information  Security  Model,  and  also  that  no 
functionality  of  the  SKCPP  fails  to  correspond  precisely  and  com- 
pletely with  one  or  more  concepts  of  the  model.  These  demonstrations 
and  tests  will  take  the  form  of  rigorous,  logically  sound  proofs  of 
correspondence,  and  may  be  performed  in  sequential  steps  of  validation 
which  form  a step-by-step  validation  correspondence  proof  chain 
stretching  between  the  executable  machine  code  (the  least  abstract 
representation  of  the  Security  Kernel)  and  the  Information  Security 
Model  (the  most  abstract  representation  of  the  Security  Kernel). 

Such  a validation  chain  is  discussed  in  paragraph  4. 1.2.1  below. 

4. 1.2.1  The  Validation  (Correspondence  Proof)  Chain 

The  process  of  validation  of  the  Security  Kernel  has  as  its  goal 
the  clear  and  rigorous  proof  that  the  conceptual  solution  of  the 
real-world  problem  of  prevention  of  compromise  of  information 
security,  as  represented  by  the  Information  Security  Model,  has  been 
precisely  implemented  on  the  particular  hardware/software  system  that 
will  deal  with  that  real-world  problem. 

Specifically,  it  is  required  that  the  functionality  of  the  hard- 
ware/software system  that  consists  of  the  binary  language  representa- 
tion of  the  Security  Kernel,  correctly  installed  and  operating  in  a 


223 


DEC  PDP-11/45  computer  with  Memory  Management  Unit,  be  rigorously 
proved  to  completely  and  exclusively  correspond  to  the  functionality 
described  by  the  Information  Security  Model. 

The  said  validation  goal  requires  that  all  aspects  of  the  proofs 
be  thoroughly  rigorous  and  that  they  be  clearly  documentable.  Un- 
fortunately, the  formal  language  and  semantics  in  which  the  SKCPP  is 
expressed  are  not  directly  comparable  with  the  logical  structure  of 
the  Information  Security  Model.  This  fact  would  make  direct  corre- 
spondence between  these  two  representations  impracticable  to  prove 
and  document.  Instead,  a multi-step,  continuous  chain  of  correspond- 
ence proofs,  similar  in  form  to  that  illustrated  in  Figure  23,  shall 
be  performed.  In  this  generalized  validation  chain  design  begins 
with  the  most  abstract  representation  (the  Information  Security  Model) 
and  proceeds  in  steps  through  more  concrete  representations  until  it 
reaches  the  most  concrete  form,  the  useable  system  (hardware/software 
binary  machine  language)  representation  of  the  Security  Kernel.  At 
each  link  in  the  chain,  it  is  required  that  any  and  all  state  trans- 
formations that  are  possible  in  the  less  abstract  (more  concrete) 
representation  be  proved  to  correspond  exactly  and  completely  with 
expected  state  transformations  in  the  more  abstract  representation. 
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Figure  23.  The  Validation  Chain 
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4. 1.2. 2 Validation  Chain  Components 


Figure  23  illustrates  four  kinds  of  representations,  at 
differing  levels  of  abstraction,  that  may  be  used  to  implement 
validating  the  proof  of  correspondence  between  the  useable  hard- 
ware/software binary  "machine  language"  representation  of  the 
Security  Kernel  and  the  "mathematical  model"  of  computer  security  of 
information.  The  four  representations,  leading  from  the  most 
abstract  to  the  most  concrete^ are: 

a.  mathematical  model, 

b.  formal  specification, 

c.  algorithmic  representation,  and 

d.  useable  system. 

As  used  here,  the  "mathematical  model"  refers  to  the  model 
described  in  reference  2.2a;  the  "formal  specification"  refers  to 
the  "Parnas  specification"  for  each  computer  program  component  which 
appears  as  paragraphs  3.2.n.l  in  Section  3 of  this  specification; 
and  the  "algorithmic  representation"  is  the  SKCPP  SUE  language  and 
PAL-11  representations  described  in  Section  3 of  this  specification. 

The  illustration  implies  that  correspondence  proofs  will  follow 
the  path  through  the  identical  representations  to  those  used  in 
design  to  show  that  less  abstract  corresponds  with  the  more  abstract 
representation.  However,  the  actual  proofs  of  correspondence  for 
validation  need  not  follow  the  identical  path  through  the  representa- 
tions that  were  used  in  development  of  the  SKCPP,  provided  that  the 
correspondence  proofs  constitute  a rigorously  continuous  chain  of 
proofs  that  prove  the  correspondence  between  the  useable  machine 
language  Security  Kernel  and  the  Information  Security  Model. 

The  correspondence  proof  chain  may,  for  example,  follow  a chain 
of  proofs  such  as  the  following: 

a.  Useable  hardware /software  binary  machine  language 
representation. 

b.  PAL-11  assembler  language  representation. 

c.  SUE  language  representation. 

d.  PARNAS  formal  specification. 

e.  Information  Security  Model. 
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5.  PREPARATION  FOR  DELIVERY 


This  section  states  the  requirements  incumbent  upon  the  Con- 
tractor for  preparing  the  Security  Kernel  Computer  Program  Product 
(SKCPP)  for  delivery  to  the  Government  and  for  insuring  the  integrity 
and  security  of  the  product  as  delivered  for  validation  and  final 
delivery . 

5 . 1 Preparation  of  Useable  Machine  Language  SKCPP 

Prior  to  the  start  of  validation  tests  and  demonstrations,  the 
Contractor  shall  take  all  the  actions  necessary  to  prepare,  produce 
and  protect  the  integrity  of  a precise  binary  machine  language 
representation  of  the  SKCPP  described  in  the  SUE  and  the  PAL-11 
languages  in  Section  3 of  this  specification.  The  Contractor  shall 
use  the  (combined  SUE  and  PAL-11)  high-order  language  SKCPP  repre- 
sentation of  this  specification  as  the  source  level  code,  in  a 
security  controlled  IBM  360  environment  where  the  Project  SUE  sys- 
tem and  the  PDP-11  cross  assembler  both  execute,  to  compile  the  SKCPP 
machine  language  load  module  on  9-track  magnetic  tape  media  for 
transfer  to  the  PDP-11/45.  The  Contractor  shall  protect  the  integrity 
of  this  preparation  process  and  the  resulting  machine  language  code 
media  as  required  by  paragraph  5.1.1  below. 

5.1.1  Protection  of  SKCPP  Integrity 

The  Contractor  shall  take  all  the  action  necessary  to  insure, 
protect,  and  preserve  the  accuracy  and  integrity  of  the  SKCPP  binary 
machine  language  load  module  for  the  PDP-11/45.  These  actions  shall 
include  but  not  be  limited  to: 

a.  Protection  of  the  integrity  of  the  source  level  code  through 
supervisory  control  and  monitoring  by  a specific  hierarchi- 
cal group  of  persons,  referred  to  hereinafter  as  the  Kernel 
Control  Group  (KCG) , selected  by  the  Contractor  and  the 
Government  and  approved  by  the  authority  designated  by  the 
Government  agency  responsible  for  the  SKCPP  procurement. 

The  Contractor  shall  provide  the  KCG  with  free  access  to 
monitor  and  review  the  correctness  of  the  source  level  code 
and  all  the  processes  employed  in  compiling  the  SKCPP  binary 
machine  language  load  module  in  the  tape  media.  The  KCG 
shall  have  complete  configuration  control  for  the  SKCPP. 

The  Contractor  shall  be  responsible  for  submitting  to  the 
KCG,  in  advance  of  implementation,  any  contemplated  modifi- 
cation whatsoever  to  the  SKCPP  source  level  code,  the 
compilation  environment  and  procedures  or  the  contents  of 
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the  load  module.  No  changes  shall  be  made  to  any  of  these 
entities  without  prior  approval  by  the  KCG. 

b.  Protection  of  the  physical  media,  in  which  the  binary 
machine  language  version  of  the  Security  Kernel  resides, 
from  any  possibility  of  unauthorized  alteration;  this  pro- 
tection shall  be  commensurate  with  the  level  of  protection 
required  by  the  highest  level  of  information  security 
classification  and  special  access  categories  for  which  the 
system,  in  which  the  said  Security  Kernel  will  be  installed, 
must  be  cleared. 

c.  Those  actions  necessary  to  allow  disclosing  the  contents  of 
and  information  describing  the  SKCPP  binary  machine  language 
load  module  as  if  it  were  unclassified,  while  protecting  its 
security  against  modification  to  the  extent  required  by  (b) 
above. 

d.  The  Contractor  shall  maintain,  at  all  times  subsequent  to 
its  initial  compilation,  a duplicate  copy  of  the  machine 
language  version  of  the  SKCPP,  and  shall  also  maintain  an 
up-to-date  history  of  any  and  all  modifications  that  occur 
to  the  original  copy  of  the  SKCPP. 

e.  Whenever  modification  occurs  to  the  binary  machine  language 
SKCPP,  the  duplicate  copy  shall  be  modified  to  maintain  its 
identity  with  the  original  copy,  and  the  SKCPP  must  imme- 
diately be  purged  from  the  computer  until  its  revalidation 
has  been  completed  and  approved, 

f.  Revalidation  after  modification  of  the  SKCPP  binary  machine 
language  media  shall  be  performed  and  documented  following 
procedures  meeting  the  requirements  of  Sections  4.1.2, 
4.1,2,!,  and  4, 1.2.2  of  this  specification. 
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6 . NOTES 


The  following  notes  are  provided  Informally  to  assist  the 
potential  Security  Kernel  user. 


NOTES  ON  THE  MITRE  PDP-11/45  PROTOTYPE 
SECURITY  KERNEL 


The  PDP-11/45  kernel  distribution  consists  of  two  9 track 
magnetic  tapes  and  documentation.  The  tapes  are  referenced  as  the 
tape  and  the  OS/360  tape.  These  notes  document  the  contents 

of  the  two  tapes  and  will  serve  as  a guide  to  additional  documenta- 
tion: 

a.  ESD-TR-75-69 , "The  Design  and  Specification 
of  a Security  Kernel  for  the  PDP-11/45", 

by  W.  L.  Schiller,  May  1975. 

b.  Memo,  "Project  7070  versus  IBM  OS/TSO  and  the  Project  SUE 
System  Language",  by  J.  A.  Larkins,  August,  1975.  This 
memo  was  originally  intended  for  use  by  MITRE  Project  7070 
personnel,  so  that  some  of  the  Information  it  contains  is 
relevant  only  to  the  MITRE  IBM  system. 

c.  Notes  on  "Using  the  Kernel  Exerciser". 

d.  Notes  on  "Using  the  ALTER  Program". 

e.  PDP-11/45  Configuration  Chart. 

f.  PDPTAPEl  job  output  and  tape  dump. 

g.  0STAPE2  job  output. 

h.  SUE  compilation  listings  for 

- STARTUP 

- KERNEL 

- EXEC 

- LISTENER 

- EXERCISE 
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i.  PAL  assembly  listings  for 

- VDIMP 

- BOOT 

- DALLOC 

- DFREE 

- LSD 

- DISKIO 

- SWAP 

For  information  on  the  SUE  Compiler  itself,  contact  Dr.  R.  C. 
Holt,  Computer  Systems  Research  Group,  University  of  Toronto. 


PDP-11  TAPE 

The  PDP-11  tape  can  be  bootloaded  onto  a PDP-11  by  the  fimnware 
Bootstrap  Loader  (MRll-DB).  It  contains  object  code  of  the  Security 
Kernel,  a program  which  initializes  the  Kernel,  programs  that  run  in 
conjunction  with  the  Kernel,  and  a simple  test  program.  The  tape 
distributed  has  been  successfully  loaded  onto  MITRE’ s PDP-11/45,  but 
it  is  configuration  dependent.  Physically,  the  tape  consists  of 
eight  records  followed  by  a file  mark.  The  following  paragraphs 
describe  the  contents  of  each  record. 

Record  1 


Record  1 is  a short  record  of  all  zeros.  It  is  only  on  the 
tape  because  MITRE ’s  bootstrap  loader  skips  the  first  record  and 
loads  the  second. 

Record  2 


Record  2 is  BOOT,  a short  program  written  in  PAL-11.  BOOT  is 
loaded  by  the  bootstrap  loader  starting  at  location  0 and  then  con- 
trol is  passed  to  it  (at  0).  BOOT  loads  record  3 starting  at  loca- 
tion 8000  and  then  passes  control  to  it.  Since  record  3 is  a SUE 
program,  BOOT  like  most  other  programs  on  the  tape  is  cognizant  of 
the  SUE  runtime  environment  and  initializes  general  purpose  registers 
4 and  6 appropriately. 

Record  3 


Record  3 contains  STARTUP.  STARTUP  does  the  initialization  that 
is  necessary  before  the  first  Security  Kernel  function  can  be  invoked 
it  puts  the  system  into  Z^,  the  initial  secure  state.  STARTUP  ini- 
tializes the  Security  Kernel’s  data  bases,  reads  in  the  rest  of  the 
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tape,  and  transforms  itself  into  the  executive  process.  STARTUP 
does  a few  things  that  may  be  unnecessarily  complex.  The  main 
memory  in  which  STARTUP  runs  is  allocated  to  the  Process  Segments, 
to  the  two  executive  stacks  and  to  the  ROOT  directory.  The  stacks 
are  not  accessed  until  STARTUP  is  finished,  but  it  must  initialize 
the  Process  Segments  and  the  ROOT  while  it  is  running.  The  final 
transition  into  the  executive  process  is  also  a little  complex. 

Record  4 


Record  4 contains  VDUiyiP,  a simple,  stand-alone  debugging  pro- 
gram written  in  PAL-11.  It  uses  hexadecimal  notation  and  displays 
main  memory  locations  when  started.  Since  it  runs  with  the  MMU,  it 
can  access  any  area  in  core,  given  the  corresponding  descriptors. 

VDUMP  is  invoked  by  manually  branching  to  location  3400  (hexadecimal) . 

Record  5 


Record  5 contains  the  Security  Kernel. 

Record  6 

Record  6 contains  EXEC,  the  code  that  the  executive  process 
executes.  EXEC  runs  on  the  Security  Kernel  but  the  executive  pro- 
cess has  special  privileges  - it  is  the  root  process  and  is  the 
only  process  that  can  create  new  processes.  It  is  also  the  only 
trusted  subject  in  the  system. 

EXEC  has  two  phases  - a one-time-only  phase  and  a steady-state 
phase.  In  the  one-time-only  phase  it  establishes  the  initial 
hierarchy  by  creating  some  directories  and  putting  code  and  I/O  seg- 
ments into  them.  In  the  steady-state  EXEC  responds  to  user  logon 
and  logoff  requests  by  starting  processes  that  run  the  EXERCISER  or 
the  LISTENER. 

Record  7 


Record  7 contains  the  LISTENER,  a program  that  the  executive 
runs  in  a process  for  each  free  terminal.  The  LISTENER  responds  to 
user  logon  requests  at  its  process's  terminal.  If  the  request  is 
valid  the  LISTENER  destroys  itself,  an  event  that  is  detectable  by 
the  executive.  The  response  of  the  executive  is  to  start  a user 
process  running  the  EXERCISER  for  the  terminal.  Communication 
between  LISTENER  processes  and  the  executive  is  through  shared  data 
segments.  The  format  of  the  logon  request  is: 


START 


<user-id>  <project-id>  <class> 


[<cat>] 
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user-id  must  be  a decimal  number  greater  than  7 and  less  than  32767. 
project-id  must  be  a decimal  number  greater  than  1 and  less  than  127. 
class  must  be  T,  S,  C,  or  U. 

cat  is  an  optional  parameter  that  can  be  any  16  bit  decimal  nximber. 
The  LISTENER  does  not  perform  any  type  of  user  authentication. 

Record  8 


Record  8 contains  the  EXERCISER,  a test  program  that  permits  a 
user  at  a terminal  to  invoke  arbitrary  Kernel  functions  with  arbi- 
trary input  parameters.  Further  details  are  given  in  the  enclosed 
outline,  "Using  the  Kernel  Exerciser". 


GENERATING  THE  PDP-11  TAPE 

The  PDP-11  tape  is  generated  (on  the  S/360)  with  the  following 
JCL  and  control  cards: 

//  EXEC  WLSTAPE 


BOOT 

STARTUP  1 

VDUMP 

KERNEL  4 

EXEC  1 

LISTENER  2 

EXERCISE  10 

columns : 1 


The  catalogued  procedure  WLSTAPE  and  the  program  it  invokes, 
RELOCATE,  are  included  on  the  OS/360  tape.  RELOCATE  writes  record  1 
onto  the  tape  and  then  starts  reading  the  control  cards.  Each  con- 
trol card  gives  the  member  name  of  a program  in  a library  and  a 
relocation  indicator.  (0  is  assumed  if  the  relocation  indicator  is 
omitted.)  For  each  control  card-RELOCATE  reads  the  program  into 
S/360  core  with  a LOAD  macro,  undoes  the  relocation  performed  by  OS, 
redoes  the  relocation  for  the  PDP-11,  performs  a byte  reversal 
(because  the  PDP-11  puts  the  even  byte  in  the  right  hand  side  of  the 
halfword),  and  dumps  the  program  onto  the  tape.  RELOCATE  is  able  to 
redo  the  relocation  because  it  knows  the  format  of  object  programs 
produced  by  the  SUE-11  compiler  - only  VCON^s  need  be  relocated,  and 
all  VCONs  begin  at  a fixed  point  relative  to  the  beginning  of  each 
procedure.  RELOCATE  requires  that  the  entry  point  of  each  program 
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be  a relative  0.  This  requirement  is  easily  satisfied  by  following 
a simple  convention  for  compilations  and  link  edits.  The  relocation 
factor  for  the  PDP~11  is  the  relocation  indicator  x2  (hexadecimal) . 
RELOCATE  is  not  idiot  proof  - an  improperly  formed  program  could 
cause  it  to  loop. 

Since  it  is  likely  that  you  will  have  to  modify  our  PDP~11 
software,  the  OS/360  tape  includes  the  bulk  of  our  program  develop- 
ment environment,  in  addition  to  the  PDP-11  source  and  object.  The 
doctiment  entitled  "Project  7070  versus  IBM  370  OS/TSO  and  The  Pro- 
ject SUE  System  Language",  should  serve  as  a guide  to  our  software 
development  system.  The  output  of  the  job  that  created  the  tape, 
0STAPE2,  is  included.  It  should  be  sufficient  to  determine  how  to 
unload  the  tape.  The  following  paragraphs  describe  each  file  on 
the  tape.  Unless  otherwise  noted,  each  file  is  an  unloaded  parti- 
tioned data  set.  An  alias  filename  is  given  whenever  it  may  be 
referenced  in  two  different  ways- 

File  1 - SUE.P7070.LINKLIB 

(Alias : SUE . VERSIONl. P7070 . LINKLIB) 

This  library  is  used  as  the  input  to  the  PDP-11  tape  generation 
process.  It  contains  OS  load  modules  with  all  external  references 
resolved. 

File  2 - SUE. GN. KERNEL. LINKLIB 


The  object  deck  output  of  compilations  is  run  through  the 
linkage  editor  and  into  this  library  - it  contains  load  modules  with 
unresolved  external  references.  A subsequent  link  edit  that  resolves 
the  external  references  uses  this  library  as  input  and  the  File  1 
library  as  output. 

File  3 - TS0231. SUE. GN. KERNEL. SOURCE 


This  file  contains  the  source  card  images  of  most  of  the  PDP-11 
software.  Most  of  the  members  contain  SUE  code,  but  some  contain 
PAL-11  source.  A copy  of  the  PAL-lls  cross  assembler  that  we  use 
can  be  obtained  for  $25.00  from 

Mr.  William  F.  Decker 
University  of  Iowa 
Iowa  City,  Iowa 
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File  4 - TS0231. SUE. P7070. SOURCE 

(Alias : SUE . VERSIONl. P7070 . SOURCE) 

This  file  contains  the  source  card  images  for  the  rest  of  our 
PDP-11  software. 

File  5 - SUE. GN. KERNEL. DATA 

File  6 - SUE. GN. KERNEL. PROGRAM 

File  7 - SUE. P 70 70. DATA 

(Alias : SUE . VERSIONl . P7070 . DATA) 

File  8 - SUE. P 70 70. PROGRAM 

(Alias : SUE . VERSIONl. P7070 . PROGRAM) 

The  members  in  these  files  are  the  output  of  the  SCRUNCH  pre- 
processor and  the  input  to  the  SUE-11  compiler. 

File  9 - SUE.DISTRIB.LOADMOD 

(Alias : SUE . VERS lONl . LOADMOD) 

This  file  contains  the  object  code  of  three  programs  - NIT, 
RELOCATE,  and  WLSALTER.  NIT  transforms  the  output  of  the  PAL-lls 
cross  assembler  we  use  into  an  OS  object  deck  so  that  further  pro- 
cessing by  the  linkage  editor  can  take  place.  NIT  is  not  intended  to 
be  fully  general  or  idiot  proof,  and  will  only  work  for  small  and 
simple  programs  (no  external  references)  of  the  type  that  we  have 
written.  The  catalogue  procedure  that  invokes  NIT  is  NLSPAL.  The 
following  control  cards  should  be  used: 

//EXEC  WLSPAL,FILE=’<filename>’  ,MEMBER=<name>,TSOID=TS0231 
//NIT.SYSIN  DD  * 

<name> 

RELOCATE  has  already  been  discussed. 

The  load  module  WLSALTER  is  used  for  maintaining  source  input  as 
card  images  on  a private  disk  pack.  A listing  of  the  user's  source 
is  always  produced  after  execution  of  the  ALTER  program.  This  pro- 
gram is  a modification  of  a MITRE  utility  program  written  in  OS 
Assembler.  Line  numbers  are  added  to  the  print  file  records  when  a 
change  is  made  to  the  source  file,  but  the  OUTPUT  subroutine's  out 
file  is  never  numbered.  The  ALTER  program  is  referenced  in  the 
"Project  7070  versus  IBM  370..."  document  (SUEAS)  with  further  de- 
tails found  in  the  enclosed  documentation  entitled  "Using  the  ALTER 
Program". 
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File  10  - SUE .WLS. SYSTEM. SOURCE 

(Alias:  SUE. VERSIONl. SYSTEM, SOURCE) 

This  file  contains  the  source  of  NIT,  RELOCATE,  and  WLSALTER, 
NIT  is  written  in  PL/1  and  can  probably  be  compiled  by  the  F or 
Optimizing  compilers.  RELOCATE  and  WLSALTER  are  written  in  OS 
Assembler.  RELOCATE  uses  a few  macros  included  on  this  tape. 

File  11  - SUE. VERS lONl.PROC 


This  file  contains  catalogued  procedures.  The  procedures  that 
begin  with  ”SUE”  are  documented  in  "Project  7070  versus  IBM  370,,,"  - 
they  are  similar  but  not  identical  to  the  procedures  distributed  by 
the  University  of  Toronto.  The  only  other  procedures  are  WLSPAL  and 
WLSTAPE. 

File  12  - WLS.MACLIB 


OS  Assembler  macros  used  by  RELOCATE. 

File  13  - TS0231.JCL 

(Alias:  SUE. VERS lONl.JCL) 

This  file  contains  JCL  and  control  cards  to  compile /assemble  all 
of  the  PDP-11  source  on  the  PDP-11  tape. 


CONFIGURATION  DEPENDENCIES 

Our  PDP-11  software  has  configuration  dependencies  imbedded  in 
program  constants  and  code.  There  are  three  types  of  dependency  - 
main  memory,  secondary  storage,  and  terminals.  A constant  in  the 
context  block  KERNEL,  MEM__SIZE,  sets  our  memory  size  to  128K  bytes. 
If  you  make  this  constant  larger  you  must  also  increase  the  size  of 
the  Memory  Block  Table,  and  this  change  will  require  adjusting  the 
locations  of  all  the  Kernel  data  structures  that  follow  it.  There 
should  be  no  problems  running  in  less  than  128K  bytes  if  restricted 
to  two  or  three  processes.  Main  Memory  requirements  and  the  impact 
on  the  number  of  processes  that  can  be  used  have  not  yet  been 
adequately  determined. 

The  Kernel  supports  an  RFll  for  secondary  storage.  Only  the 
PAL-11  routine  DISKIO  in  the  Kernel  knows  about  the  RFll.  If  you 
are  willing  to  restrict  your  experimentation  you  can  probably  just 
turn  off  the  disk  I/O,  removing  the  calls  to  DISKIO  and  the  P’s  on 
the  disk  semaphore  from  SWAPIN  and  SWAPOUT.  (See  Dijkstra’s  "The" 
paper  for  a discussion  of  this  topic.) 


234 


We  currently  support  four  TTY--like  terminals.  The  UNIBUS 
addresses  of  the  control  registers  for  these  terminals  have  been  set 
so  that  they  all  begin  at  the  same  offset  relative  to  a 256  byte  seg- 
ment. The  included  configuration  chart  gives  a complete  listing  of 
our  UNIBUS  addresses.  One  terminal  has  the  standard  address  for  the 
system  console.  Changing  the  number  of  terminals  requires,  among 
other  things,  changing  the  constant  USER_PROCESS#_MAX  in  the  context 
block  NOFORN,  changing  the  code  in  STARTUP  that  initializes  I/O 
vectors  and  wires  down  I/O  segments,  adding  interrupt  handlers  to 
the  GATE  program  in  the  Kernel,  changing  the  constants  in  PROGRAM 
EXEC  that  define  ASTE#’s  for  I/O  and  program  code  segments,  and 
changing  the  code  in  EXEC  that  puts  l/O  segments  into  the  hierarchy. 

USING  THE  ALTER  PROGRAM 

The  ALTER  program  uses  two  input  files  and  three  output  files. 

The  data  to  be  updated  is  referenced  as  a sequential  input  file 
called  IN.  The  second  input  file  is  used  to  contain  the  ALTER  control 
cards,  which  specify  additions  or  deletions  of  whole  cards  and  the 
changes  to  a given  card  image.  Alterations  to  be  input  file  are  made 
on  the  basis  of  their  numeric  sequence  number  as  read  in  (not  on 
the  basis  of  any  number  which  may  appear  on  the  card  image) . 

When  the  ALTER  program  copies  the  user's  input  file,  two  output 
files  are  generated,  one  for  the  printer  (PRINT)  and  the  other  for 
the  user's  updated  version  (OUT).  The  third  sequential  output  file 
is  used  to  list  the  control  cards  and  any  error  messages. 

The  MET  and  MVT  versions  of  OS/370  will  generate  a //SYSIN  DD  * 
card  automatically  if  they  encounter  unspecified  data  cards  in  the 
input  stream.  If  SYSIN  is  present  (including  DD  DUMMY  and  the 
implied  DD  * cases) ^ then  sequence  numbers  will  be  generated  on  the 
output  records  in  columns  77-80;  otherwise  the  records  will  be 
copied  unmodified. 

CONTROL  CARDS 

A control  card  is  a card  from  the  SYSIN  data  set  having  a 
number  sign  (#)  in  column  one.  There  are  three  types  of  control 
cards  (described  below) . All  control  cards  have  an  integer  immediately 
following  the  number  sign.  The  control  cards  must  be  arranged  so 
that  these  integers  (alter  numbers)  are  in  strictly  ascending  order. 

A card  from  SYSIN  that  is  not  a control  card  is  copied  to  OUT  and 
PRINT  files  after  the  last  mentioned  alter  number.  Note  that 
insertions  may  follow  all  types  of  control  cards  and  that  it  is  not 
possible  to  insert  a card  commencing  with  a number  sign. 
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1.  Position  control  card; 
#n 


This  card  begins  with  a number  sign,  an  integer,  and  two 
blanks;  anything  else  on  the  card  is  ignored.  It  causes  no  change 
directly  but  is  used  to  position  the  input  for  insertions. 

2.  Deletion  control  card: 


#n,m 

This  card  begins  with  a number  sign,  an  integer,  a comma, 
another  integer,  and  two  blanks;  anything  else  on  the  card  is  ignored. 
The  second  integer  must  be  not  less  than  the  first.  The  corresponding 
cards  from  the  IN  file  (n  through  m inclusive)  are  deleted  (not 
copied  to  OUT  and  PRINT  files) . Replacements  for  the  deleted  cards 
can,  of  course,  appear  after  the  deletion  control  card. 

3.  Alter  control  card: 

//n  A . pattern . replacement  [ . ] 

This  card  begins  with  a number  sign,  an  integer,  a blank, 
an  ”A”,  another  blank,  a control  character,  a pattern,  another 
control  character,  a replacement  string,  and  optionally  a third 
control  character.  The  control  character  may  be  any  character 
(including  blank) . The  pattern  may  be  any  string  of  one  or  more 
characters  excluding  the  control  character . The  replacement  may  be 
any  string;  it  is  considered  to  end  at  the  last  non  blank  character 
on  the  card  unless  the  character  is  a control  character , in  which 
case  the  replacement  terminates  at  the  character  to  the  left  of  the 
last  non  blank  character.  Note  that  the  replacement  can  have  zero 
length  or  can  itself  contain  instances  of  the  control  character. 

Note  also  that  comments  are  not  permitted  on  this  control  card. 

The  effect  of  the  alter  control  card  is  to  replace  the  first 
(from  left  to  right)  instance  of  the  pattern  with  the  replacement. 

The  characters  to  the  right  of  the  pattern  on  the  original  card  are 
moved  left  or  right  as  necessary  except  that  blanks  are  propagated  left 
from  column  77  (the  sequence  number  field  is  not  eligible  for  left 
shifts) • Any  characters  shifted  right  from  column  76  are  lost.  Only 
one  replacement  may  be  made  on  a card. 

ERROR  CONDITIONS 

1.  Alter  number  too  large.  (Return  code  4.)  This  condition 
occurs  if  an  alter  number  that  is  greater  than  the  number  of  input 
records  is  encountered.  The  remaining  input  on  SYSIN  is  ignored. 
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2.  Illegal  control  card.  (Return  code  8.)  This  can  mean  an 
incorrect  format  or  a card  out  of  sequence;  in  either  case  it  is 
ignored. 


3.  Match  not  found  for  alter.  (Return  code  16.)  If  no  match 
is  found  then  no  change  is  made. 

The  return  code  from  the  ALTER  program  is  the  sum  of  the 
individual  codes  except  that  each  is  counted  at  most  once.  Thus, 
a return  code  of  20  would  mean  that  SYSIN  input  was  ignored,  one 
or  more  alter  matches  failed,  and  there  were  no  illegal  control 
cards. 

Example 

11  EXEC  SUEAS , FILE= ’ SAMPLE ’ 

#2,2 

HELLO  SUE 
#38  A .DATA. 

#44  A .DSN.DS. 

#88,90 

/* 

The  changes  caused  by  the  above  control  cards  would  be: 

1.  The  second  card  image  is  replaced  by  the  data  line  "HELLO  SUE". 

2.  The  first  occurrence  of  "DATA"  on  the  38th  card  image  is 
deleted. 

3.  The  "DSN"  is  changed  to  "DS"  on  the  44th  card  image. 

4.  Card  images  88  through  90  are  deleted. 

USING  THE  KERNEL  EXERCISER 

The  basic  functions  of  the  Security  Kernel  as  it  is  currently 
running  on  the  PDP-11/45  may  be  accessed  by  way  of  the  Kernel 
Exerciser.  Outlined  below  are  the  procedures  for  calling  up  and 
running  this  program. 

I.  Steps  to  mounting  the  system  tape  and  initiating  execution: 

1.  Mount  the  system  tape  - PDPTAPEl  - on  drive  0 and  press 
LOAD.  The  ONLINE  button  should  light. 

2.  On  the  system  operator's  console,  the  control  knobs 
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for  the  Address  Display  Select  should  be  set  at  CONSOLE 
PHYSICAL,  and  for  the  Data  Display  Select  at  DATA  PATHS. 

3.  Boot  load  the  system  tape  by  entering  773136 (octal)  into 
the  console  switch  register.  Press  in  sequence  HALT, 

LOAD  ADDR,  ENABLE,  START. 

4.  The  TTY  Decwriter,  and  two  TELTERM  scopes  should  echo 

a carriage  return  (cr)  signaling  that  the  keyboards  are 
unlocked.  (Note  that  all  communication  is  in  TTY  mode.) 

II.  Logging  onto  the  system: 

Every  user  logs  onto  the  system  by  entering: 

START  /userid/  /projectid/  /classification/  /category/  (cr) 

/userid/  - any  decimal  integer  from  8 to  32766 
/projectid/  - any  decimal  integer  from  2 to  126 
/classification/  - U (unclassified),  S (secret),  C 

(confidential),  or  T (top  secret) 
/category/  - any  decimal  integer  from  -32768  to  32767 

The  system  response  is:  HELLO,  THE  KERNEL  EXERCISER  IS 
IN  CONTROL 

At  this  point,  any  of  the  Kernel  commands,  as  described 
in  Section  IV,  may  be  entered  with  the  appropriate 
arguments. 

III.  Error  Recovery 

Should  unrecognizable  data  be  entered,  the  system  response 
is : 


ERROR,  TRY  AGAIN 

Cancel  a line  by  pressing  the  line  feed  key;  correct  a 
line  by  using  the  key  as  a backspace  key. 
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IV.  The  Kernel  Commands 


FUNCTION 

ARGUMENTS 

RETURN  CODE 

******** 

********* 

*********** 

CREATE 

/seg#/  /offset/  /class/  /cat/ 
/seg-type/  /size/ 

OK  or  ERROR 

DELETE 

/seg#/  /offset/ 

OK  or  ERROR 

GIVE 

/seg#/  /offset/  /mode/  /user/ 

/proj 

ect/  OK  or  ERROR 

RESCIND 

/seg#/  /offset/  /user/  /projec 

t/ 

OK  or  ERROR 

GETW 

/seg#/  /offset/ 

/seg#/  or  ERROR 

GETR 

/seg#/  /offset/ 

/seg#/  or  ERROR 

RELEASE 

/seg#/ 

none 

ENABLE 

/seg#/  /reg#/ 

OK  or  ERROR 

DISABLE 

/reg#/ 

none 

P 

/seg#/ 

OK  or  ERROR 

V 

/seg#/ 

OK  or  ERROR 

T 

/seg#/ 

OK  or  ERROR 

IPCSEND 

/process#/  /message/ 

none 

IPCRCV 

none 

(OK, /message/, 
/process#/ 

STOPP 

none 

STOPP  ACCEPTED 

READIR 

/seg#/  /offset/ 

(OK, /class/ , 
/cat/,/seg_type/, 
/size/)  or  ERROR 

ARGUMENT  VALUES 
********  ****** 


/class/ : 

1-4 

1 - 
2 - 

3 - 

4 - 

unclassified 

confidential 

secret 
top  secret 

/cat/ : 

0-32767 

/message/ : 

1-32767 

/mode/ : 

W - write  access 
R - read  access 

N - no  access 

/offset/ : 1-63 


Root  offsets  - 

1 - Process  Directory  Directory 

2 - I/O  Directory 

3 - Code  Directory 
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/process#/ : 


1 - executive 

2 - TTY 

3 - DECwriter 

4 - Telterm  #1 

5 - Telterm  #2 


/project/ : 


1-127 


1 - System  project 
127  - All  Projects 


/reg#/:  0-15 

/seg#/:  1-31 


0 - Stack  reg 

1 - I/O  reg 

2 - Code  reg 

1 - Root  seg 

3 - Code  seg 

4 - Stack  seg 

5 - I/O  seg 


/seg- type/ 

0 - data 

128  - directory 

/size/ 

1 - 256  bytes 

4 - Ik  bytes 

16  - 4k  bytes 

Only  size  4 (IK  bytes) 
is  implemented 

/user/ : 

8—16383  16383  — All  users 

ERROR  CODES 
*****  ***** 

-1;  OK 

-2;  ERROR 

-3:  SEVERE 

ERROR 

Operation  performed 
Security  or  Implementation 
Violation 

Parameter  out  of  bounds  or 

segment  not  in  address  space 


PROJECT  7070  VERSUS 
THE  PROJECT  SUE 


IBM  370  OS/TSO  AND 
SYSTEM  LANGUAGE 


The  Project  SUE  System  Language  and  compiler  were  chosen 
as  tools  to  implement  the  security  model  on  the  PDP-11/45  because 
its  structure  allows  the  construction  using  structured  programming 
(the  language  has  no  GOTO  statement)  of  an  operating  system  which, 
as  far  as  a high  level  language  and  machine  code  is  concerned, 
can  be  proved  correct.  This  language  supports  Top-Down  construction 
and  testing  of  all  modules  within  the  limited  purpose  operating 
system  being  developed  by  Project  7070.  The  compiler  and  assembler 


240 


run  on  the  IBM  370  and  the  conventions  described  here  were  invented 
to  help  the  programmer  to  cope  more  easily  with  the  intricacies  of 
the  program  structure,  compiler  requirements  and  OS/370  and  thus 
allow  the  programmer  to  concentrate  on  producing  correct  code. 

All  Project  7070  files  are  kept  on-line  and  ISO  is  used  to  edit 
those  files  because  it  is  faster  than  a batch  editor  and  one  avoids 
the  pitfalls  of  keypunch  errors,  errors  in  JCL  and  long  waits,  among 
other  things.  Jobs  can  be  submitted  either  through  normal  batch  pro- 
cessing or  through  the  Remote  Job  Entry  (RJE)  facility  of  ISO  and 
output  is  received  in  the  ordinary  manner.  If  one  wishes  one  can 
fetch  output  to  an  on-line  data  set  and  examine  it  at  the  terminal. 
These  possibilities  are  limited  only  by  budget  and  the  programmer’s 
imagination. 

The  Sue  Program  Structure 

The  SUE  System  Language  is  a block-structured  language  some- 
what like  ALGOL,  but  with  COBOL- like  structures  known  as  compilation 
blocks.  There  exist  in  the  language  three  types  of  these  structures, 
Context  Blocks,  Data  Blocks  and  Program  Blocks.  The  Context  Blocks 
contain  declarations  for  global  types,  absolute  locations  for 
variables  in  virtual  space  and  global  Macro  declarations.  The 
Program  Blocks  contain  executable  code  and  all  declarations  of 
local  variables  and  types  if  that  is  feasible. 

Any  Sue  program  or  procedure  must  consist  of  a Data  Block 
(which  need  not  contain  any  statements)  and  a Program  Block  both 
of  which  have  the  same  name  in  the  Block  Head  (e.g.,  ’Data  NAMEl;’ 
are  headings  for  the  Data  and  Program  Blocks  respectively  of  a 
program  called  NAMEl) . If  the  program  contains  no  internally  called 
procedures,  the  Data  and  Program  Blocks  can  be  fed  into  the  compiler 
one  right  after  the  other.  If,  on  the  other  hand,  internal 
procedures  are  declared,  then  the  Program  Block  for  any  procedure 
must  be  preceded  by  its  own  data  block  and  those  of  its  enclosing 
procedures  and  must  be  followed  by  the  Program  Blocks  of  its 
enclosing  procedures.  The  proper  sequence  for  Data  and  Program 
Blocks  is  illustrated  in  Figure  la.  Note  that  the  structure  in 
Figure  lb  is  similar  to  nested  Fortran  DO  loops  and  that  the  outer- 
most Program  Block  may  be  omitted  if  the  programmer  does  not  wish 
it  to  be  compiled.  This  compilation  schedule  is  reponsible  for 
the  structure  of  the  Project  7070  SUE  files. 
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The  Compilation  Procedure 


There  are  two  steps  in  any  compilation  of  the  source  code  of 
the  SUE  System  Language  - 1)  a preprocessing  step  called  SCRUNCH 
which  produces  input  to  2)  the  compile  step.  Because  of  this  scheme 
every  SUE  file  has  4 PDSs  allocated  to  it  for  code  - 1 PDS  contain- 
ing source  code,  2 PDSs  containing  SCRUNCHED  Code  and  1 PDS  con- 
taining  link  edited  object  code.  Figures  2a  and  2b  summarize  the 
functions  and  illustrate  the  naming  conventions  for  these  PDSs. 

The  SOURCE  PDS  has  members  whose  names  are  the  procedure  names  which 
may  be  suffixed  by  either  "D"  or  "P".  For  stand-alone  Procedures, 
both  the  Data  and  Program  Blocks  are  contained  in  one  member  with 
the  same  name  as  the  procedure  name.  Procedures  containing  internal 
procedures  have  Data  and  Program  blocks  in  separate  members  with 
names  suffixed  by  "D"  and  "P"  respectively.  For  example  - a stand- 
alone procedure  called  NAMEl  would  have  all  its  source  code  contained 
in  a member  of  the  SOURCE  PDS  called  NAMEl  - in  other  words  it  exists 
as  one  member  in  the  source  PDS;  while  a procedure  named  NAME2  con- 
taining internal  procedures  would  have  its  Data  Block  contained  in  a 
SOURCE  PDS  member  called  NAME2D  and  its  Program  Block  contained  in 
a SOURCE  PDS  member  called  NAME2P  - thus  this  program,  unlike  the 
stand-alone  procedure,  exists  as  2 members  in  the  SOURCE  PDS  rather 
than  just  1.  At  the  beginning  and  end  of  each  member  are  control 
statements  (beginning  with  "$$")  which  tell  the  Scrunch  Preprocessor 
when  an  end  of  file  condition  has  been  reached  (last  statement  of 
SOURCE  PDS  member)  and  where  and  under  what  name  to  place  the  output 
from  the  scrunch  step  (the  first  statement  of  the  SOURCE  PDS  member). 
In  Figures  3a  and  3b  we  see  that  each  member  begins  with  the  $$OUT_ 
NAME  statement.  The  parentheses  immediately  to  the  left  of  the 
equals  sign  contains  the  name  of  the  particular  Scrunch  PDS  (Data  or 
Program)  to  which  the  output  from  the  preprocessor  will  be  read.  All 
SOURCE  member  names  ending  with  "D"  will  have  "DATA"  within  the 
parentheses.  Those  ending  with  "P"  will  have  "PROGRAM"  within  the 
parentheses.  To  the  right  of  the  equals  sign  is  placed  the  name  by 
which  the  member  will  be  called.  This  name  is,  by  convention,  the 
Procedure  or  Program  name  unless  that  name  is  more  than  8 letters  or 
contains  a break  character  (’__’)-  The  last  statement  of  each  SOURCE 
PDS  member  is  the  $$EOF  which  indicates  an  end  of  records  condition 
to  the  preprocessor. 
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CONTEXT  anyn  ame 


source  code 


if  needed 


DATA  NAMEl 


source  code 


(if  any) 


PROGRAM  NAMEl 


source  code 


Figure  la.  A SUE  Program  (Generalized)  With  No  Internal  Procedures 
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CONTEXT 


anyname;  -if  needed 


- DATA 

NAMEl  ; 

DECLARE 

PROCEDURE 

_1_ 

— DATA 

NAME2  ; 

DECLARE 

PROCEDURE 

—DATA 

NAME3  ; 

—PROGRAM 

(NAME3) 

_1_ 

— DATA 

NAME4  ; 

DECLARE 

PROCEDURE 

r— dItA 

NAMES  ; 

—PROGRAM 

(NAMES) 

— PROGRAM 

(NAME4) 

PROGRAM 

(NAME2) 

— PROGRAM 

(NAMEl) 

(NAME2) ; 

(NAMES, NAME4); 

(NAME5) ; 

-can  be  omitted 


Figure  lb.  Schematic  Diagram  Showing  Compilation  Order  and 
Scope  of  Various  Blocks  of  a Procedure  with 
Internally  Declared  Procedures 
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1) 

SOURCE 

- card  images  which  are  input  to  the  SCRUNCH 
Preprocessor 

2) 

DATA 

- output  from  SCRUNCH,  input  to  compiler 

3) 

PROGRAM 

- output  from  SCRUNCH,  input  to  compiler 

4) 

LINKLIB 

- Link  edited  object  code,  output  of  the 
compiler 

Figure  2a.  Names  of  SUE  PDSs  Which  Contain  Code  and  their 
Function 


SUE . < f i lename  > . < PDSname  > 

N.B  The  Source  PDS  has  the  programmer’s  TSO  account 
number  prefixed  to  the  data  set  name. 

<file  name>,  by  convention,  is  the  programmer’s 
initials  followed  by  a period  and  the  filename 
(e.g.,  JAL.SYSPROC) 


Figure  2b.  Generalized  Names  for  USE  PDSs. 
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$$OUT_NAME  (DATA)  =NAME1 
DATA  NAMEl; 


source  code 


PROGRAM  NAMEl; 


source  code 


$$EOF 


Figure  3a.  Generalized  Diagram  of  Source  Code  for  Member 

Namel  Showing  Scrunch  Control  Cards.  (This  is  a 
procedure  without  contained  procedures.  Resides 
in  Source  PDS  as  NAMEl.) 


$ $OUT_NAME (DATA) =NAME2 
DATA  NAME2; 


source  code 


$$EOF 


Figure  3b. 1 Data  Block  for  a- Program  Called  Program  Name 
Which  has  Internal  Procedures.  (Resides  in 
SOURCE  PDS  as  NAME2D.) 
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$ $ OUT_NAME  (PROGRAM)  =NAME2 
PROGRAM  NAME2 ; 


source  code 


$$EOF 


Figure  3b. 2 Program  Block  for  a Program  Called  Program 
Name  Which  Has  Internal  Procedures. 
(Resides  in  SOURCE  PDS  as  NAME2P.) 


The  Scrunch  Step 

In  order  to  call  the  Scrunch  Preprocessor,  the  programmer 
codes  a JCL  EXEC  control  card  calling  the  Procedure  SUES  specifying 
the  file  name  (FILE=’<file  name>')  and  member  name  (MEMBER= 
<membername>) . The  procedure  will  invoke  the  Scrunch  Program  using 
the  parameters  given  by  the  programmer  to  identify  the  Data  Set 
Name  and  Member  Name  of  the  member  of  the  SOURCE  PDS  to  be  scrunched. 
SUES  must  be  invoked  for  every  member  to  be  scrunched  and  the  procedure 
will  overwrite  any  existing  scrunched  code  in  the  member  of  the 
Scrunch  Data  Set  if  that  member  exists.  If  that  member  does  not 
exist  it  will  be  created.  Therefore,  when  changes  are  made  to 
source  code,  that  code  can  be  scrunched  without  first  having  to 
delete  the  scrunched  code  associated  with  the  original  source  code. 
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The  Compilation 


The  compiler  is  invoked  by  one  of  2 procedures  - SUEC  or 
SUECL.  The  first  is  intended  to  produce  only  a listing  with  error 
messages,  the  data  set  containing  object  code  being  deleted  by  OS. 

The  second  procedure  passes  the  object  code  to  the  Linkage  Editor, 
which  it  invokes. 

When  calling  SUEC  the  programmer  must  specify  the  filename 
(FILE=’< filename)’ ) and  include  control  records  after  the  EXEC 
card  which  tell  the  compiler  which  members  of  what  Scrunch  PDS 
to  compile  and  in  what  order  these  members  are  to  be  compiled. 

Figures  4a  and  4b  give  the  general  form  and  an  example. 

Link  Editing 

SUECL  is  called  in  much  the  same  way  and  with  the  same  control 
record  scheme.  The  only  difference  is  in  the  addition  of  a 
specification  of  a member  name  (MEMBER=<membername»  . This  will 
be  substituted  in  the  JCL  for  this  procedure  to  name  a member  in 
the  LINKLIB  PDS  to  which  the  link-edited  object  code  will  be  written. 
The  Linkage  Editor  is  invoked  in  this  procedure  with  the  NCAL 
option  specified.  This  allows  the  storage  of  object  modules  with 
unresolved  external  references  until  the  segments  of  code  to  which 
they  refer  have  been  coded,  compiled  and  separately  link-edited. 

After  the  programmer  has  coded  all  procedures  for  a particular 
system  of  procedures  (i.e.,  after  all  internal  procedures  have  been 
coded,  compiled  and  object  modules  placed  in  the  LINKLIB  PDS), 

SUEL  is  called  to  invoke  the  Linkage  editor,  the  NCAL  option,  in 
order  to  completely  link  edit  all  object  modules  of  a system  of 
procedures  and  store  the  resultant  load  module  in  the  Linklib  PDS. 

The  programmer  is  required  to  specify  in  the  EXEC  Statement  a value 
for  a member  name  in  the  LINKLIB  PDS  (MEMBER=  member  name  ) to  which 
the  load  module  is  to  be  written  and  s/he  will  be  required  to  use 
control  statements  of  the  form  - INCLUDE  SYSLIB(< member  name))  - 
which  indicates  to  the  Linkage  Editor  which  members  « member  name))  of 
the  Linklib  PDS  are  to  be  processed.  There  will  be  as  many  of  these 
statements  as  there  are  members  to  be  link  edited.  The  process  will 
bomb  if  there  are  any  procedure  calls  for  which  no  procedure 
has  been  coded,  compiled  and  stored  in  the  Linklib  PDS. 

USING  TSO 

In  order  for  the  Programmer  to  use  TSO  each  file  is  allocated 
2 additional  PDSs:  1)  a CNTL  PDS  with  a data  set  name  of 
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<scrunch  PD Sname>< member  name><control  toggles> 

<scrunchPDSname>  is  either  PROGRAM  or  DATA 

<member  name>  is  the  member  of  the  scrunch  PDS  to 
be  compiled 

<control  toggle>  controls  the  emission  of  information 
to -the  Sysprint  data  set 


Figure  4a.  General  Form  for  Compiler  Control  Records 


// 


EXEC  SUEC,  FILE='<file  name>' 


DATA  NAMEl  "iL 

DATA  NAME2  D 

DATA  NAMES 
PROGRAM  NAMES 
DATA  NAME  4 
PROGRAM  NAME4 
PROGRAM  NAME2  DE 

/* 


(no  listing  of  this  block) 
(list  s3nnbol  and  type  tables) 


(list  s3mibol  and  type  tables, 
emitted  code) 


Figure  4b.  Example  of  Invocation  of  Compiler 
with  Control  Records 
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<tsoid>.  CNTL  and  2)  A CLIST  PDS  with  a data  set  name  of  <tsoid>. 
X.CLIST.  The  first  is  storage  for  JCL  card  images  and  other  control 
cards  for  submission  to  batch  processing  through  the  Remote  Job 
Entry  (RJE)  facility  of  ISO  (see  caveat  #3  before  using  RJE) . 

The  second  is  storage  for  any  command  lists  which  a programmer  may 
want  to  create.  One  useful  command  list  passes  values  for  a file 
name  and  a member  name  to  a generalized  call  to  the  editor  for  a 
member  of  a PDS  and  executes  the  call.  Other  uses  are  left  to 
the  programmer ’ s imagination . 

Project  7070  uses  a catalogued  procedure  to  allocate  PDSs  for 
files.  The  programmer  calls  the  catalogued  Procedure  SUEALLOC 
and  specifies  his  TSO  account  number  (TSOID=<tsoid>)  and  the  file 
name  (FILE=<f ilename>) . 

USING  MITRE  BATCH  FACILITIES 

All  procedures  mentioned  here  can  be  called  in  the  batch  job 
stream.  Members  can  be  created  by  lEBUPDTEJ  they  can  be  updated 
by  using  the  procedure  SUEAS  which  calls  the  ALTER  program  and  uses 
the  same  utility  control  statements  (see  the  Facility  Manual) . In 
addition  this  procedure  rewrites  the  Scrunched  data  set.  There  is 
a card  to  printer  procedure  called  SUESC  which  takes  card  input  and 
produces  a compiler  diagnostic.  With  TSO,  however,  these  two 
procedures  are  not  necessary  and  all  the  others  may  be  called  through 
JCL  which  the  programmer  has  stored  in  dynamically  created  CNTL 
data  sets.  Of  course,  in  order  to  use  TSO  the  programmer  has 
to  have  some  way  of  identifying  himself  to  the  system  as  a legitimate 
user  and  this  is  done  through  the  TSO  account  number, 

GETTING  READY  FOR  TSO 

In  order  to  obtain  a TSO  account  number  (which  is  also  the 
”TS0ID**)  the  programmer  can  call  User  Assistance  at  X2525^  and  after 
giving  Lee  Gera  the  pertinent  information, he  will  assign  the  programmer 
a number  of  the  form  TS0XXX  and  an  eight  character  Password.  After 
Lee  places  the  programmer’s  account  on  the  system  the  programmer  may 
proceed  to  do  his  thing.  However,  to  do  it  on  TSO  s/he  must  first 
read  the  TSO  User’s  guide  (GC28-6697)  which  will  introduce  her/him 
to  TSO  and  have  ready  the  TSO  Command  Language  Reference  which  will 
serve  as  a reference  guide  to  the  Function,  Syntax  and  Operands  of 
TSO  commands.  In  addition,  the  programmer  will  have  to  have  a 
MITRE  Computer  Facilities  Manual  in  order  to  see  the  changes  and 
extensions  that  MITRE  has  made  to  the  original  IBM  Product  in  order 
to  make  it  more  compatible  with  humans.  These  changes  and  extensions 
are  listed  and  explained  in  Chapter  7.  All  these  and  any  other 
manuals  may  be  obtained  from  Stella  Theokas  in  the  keypunch  area  of 
the  computer  facility. 
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Caveats 


(1)  It  may  not  be  obvious  from  the  following  attachments  that 

a SUE  file  resides  on  2 disk  packs.  The  SOURCE,  CNTL  and  CLIST  PDS- 
reside  on  the  public  pack  and  the  DATA,  PROGRAM  and  LINKLIB  PDSs  re- 
side on  a private  pack  (serial  number  DP5006) . With  the  present 
LOGON  procedure  available  to  Project  7070  (the  default  procedure), 
only  those  PDSs  residing  on  the  public  packs  can  be  accessed 
through  TSO.  However,  others  may  be  assessed  by  any  Job  entered 
through  RJE. 

(2)  All  control  cards  for  the  compiler  and  Linkage  Editor 
begin  in  column  1. 

(3)  One  slight  failing  of  RJE  is  that  there  is  no  way  for 

the  operator  to  know  that  a private  storage  medium  is  required 
unless  the  JCL  for  the  Job  tells  him.  This  is  done  at  MITRE 

through  a HASP  SETUP  card  image.  This  is  described  in  the  Facilities 

Manual  on  Page  6.2.  The  user  should  request  Volume  DP5006  - a disk 
pack. 

Summary  with  Examples  of  SUE  Procedure  Calls 

1)  SUEALLOC:  Allocates  the  6 PDSs  required  for  working  with  the 

SUE  language.  SOURCE,  CNTL  and  CLIST  are  allocated  on  the  Public 

Packs  while  DATA,  PROGRAM  and  LINKLIB  are  allocated  to  the  Project 

7070  private  Pack.  File  name  must  be  specified. 

e.g.5  //anyname  EXEC  SUEALLOC,FILE=' JAL.SYSPROC ,TSOID=TS0999 

2)  SUES:  Scrunches  source  code  and  places  the  result  on  either  the 
Data  or  Program  PDS  according  to  what  control  records  appear  with 
the  source  code  (see  Figures  3a  and  3b).  The  programmer's  TSOID, 
file  name  and  member  name  of  the  Source  PDS  member  to  be  processed, 
must  be  specified. 

e . g . , / /anyname  EXEC  SUES , FILE= ’ JAL . SYSPROC ’ ,MEMBER=DELETEP , 

TSO1D-TS0999 

3)  SUEC:  Compiles  scrunched  code,  produces  listings  and  diagnostics 
and  scratches  files  containing  object  code.  Programmer’s  file 

name  must  be  specified  and  control  records  must  be  placed  after  the 
EXEC  CARD  (see  the  section  on  compilation  and  Figure  5b) . 
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e.g.,  //anyname  EXEC  SUEC,FILE=' JAL. SYSPROC 
* 

compiler  control  records 

9^ 

/* 

N.B.  the  member  name  specified  is  the  member  in  the  LINKLIB  PDS  to 
which  the  object  code  will  be  written. 

5)  SUEL:  Link  edits  files  specified  by  control  records  (see 
section  on  Link  Editing)  and  terminates  at  discovery  of  unresolved 
external  reference  or  at  successful  completion.  When  successful, 
places  fully  link  edited  code  in  LINKLIB  PDS  under  a specified 
member  name.  File  name  and  member  name  must  be  given. 

e.g.,  / /anyname  EXEC  SUEL , FILE= ’ JAL . SYSPROC ’ ,MEMBER=DELETE 

9c 

-k 

Linkage  Editor 
Control  Records 

k 

k 

Ik 

6)  SUEAS ; Batch  editor  for  Project  7070.  Calls  Alter  and  Scrunch 
Programs.  Filename  and  member  from  SOURCE  PDS  must  be  specified. 
Control  cards  and  change  cards  are  as  for  the  ALTER  Program.  See 
the  Facility  Manual  Page  5.80  for  more  information. 

e.g.,  / /anyname  EXEC  SUEAS , FILE= ’ JAL . SYSPROC ’ ,MEMBER=DELETEP 
* 
k 

control  and  change  cards  for  ALTER 

k 

k 

/k 

7)  SUESC:  Executes  scrunch  and  compile  on  card  input.  Output  is 
to  printer  for  listing  and  diagnostics.  All  files  are  temporary. 

^ • g • 3 / / anyname  EXEC  SUESC 

k 

k 

card  input 

k 

k 

/k 
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8)  SUESCRTH:  Deletes  all  PDSs  for  a particular  file  name.  TSOID 
and  file  name  must  be  specified. 

e.g.,  //anyname  EXEC  SUESCRTH, TSOID=TS0999,FILE='JAL.SYSPROC’ 

Examples  of  Program  Execution  and  Development  Under  TSO 

A guide  and  scenarios  are  given  below  to  illustrate  the  steps 
a SUE  programmer  must  use  to  allocate  files  for  her/himself,  create 
and  edit  PDS  members  and  submit  jobs. 

Allocation  of  Files 


The  allocation  of  files  can  be  done  either  through  TSO  or 
through  the  batch.  It  seems  frivolous  to  spend  money  on  the  sub- 
mission of  such  a short  job  through  RJE  so  batch  processing  is 
recommended.  The  cards  needed  are  a job  card  and  the  execute  card 
for  SUEALLOC  (see  example  in  the  previous  section).  Don’t  forget 
to  put  the  Serial  # DP5006  on  the  back  of  the  green  request  card 
under  "Disk  Packs  Required". 

Creating  Members  in  Your  Newly  Allocated  Disk  Area 

There  are  two  ways  of  doing  this  - lEBUPDTE  with  cards  or 
through  TSO.  lEBUPDTE  JCL  is  first  given.  For  a more  comprehensive 
look  at  this  utility  the  programmer  should  consult  the  OS  Utilities 
Manual  (GC28-6586) . 

//jobcard  (if  necessary) 

//  EXEC  PGM=IEBUPDTE,  PARAM-NEW 
//SYSPRINT  DD  SYSOUT-A 

//SYSUTl  DD  DSN=<tsoid>. <filename>.  SOURCE,DISP=SHR 
//SYSUT2  DD  DSN=<tosid>.<filename>.  SOURCE, DISP=SHR 
//SYSIN  DD  * 

./  ADD  LIST=ALL,NAME=  membernamel 
./  ADD  LIST=ALL,NAME=  membername2 
(card  images) 

ic 

* 

•k 


/k 

N.B.  < membernamel  > and  < membername2>  are  the  names  the  programmer 
has  chosen  according  to  the  conventions  stated  previously  for  source 
PDS  members.  There  may  be  any  number  of  ADD  statements-one  for 
each  member  to  be  added. 
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To  do  the  above  through  TSO  one  would  make  the  following  call 
to  the  editor: 

edit  VtsoidX  SUE.<f  ilename>.  SOURCE(<membername>)  ' 

DATA  NEW  NONUM 

Since  the  member  is  new  the  user  is  placed  into  input  mode  immedia- 
tely and  is  ready  to  write  whatever  input  s/he  wants.  One  must  do 
this  for  each  member  to  be  placed  on  the  PDS.  Typing  out  such  a 
long  command  can  become  tedious  when  one  does  it  over  and  over 
again  - as  one  sometimes  must  for  a large  series  of  editing  changes 
to  many  members  of  many  data  sets  - therefore,  the  CLIST  facility 
is  used.  The  following  command  is  used  to  create  the  member  whose 
membemame  is  ’e*  in  the  CLIST  PDS  named  X: 

edit  x(e)  clist  new 

When  the  terminal  is  in  input  mode  the  following  entries  are  made: 
proc  2 fname  mem 

edit  ’<tsoid>.  sue  • &fname  • . source  (Stmem.  ) ’ data  nonum 

N.B.  This  is  for  editing  an  already  existing  member.  If  one  wanted 
to  create  a new  member  one  would  place  the  keyword  ”NEW”  after  the 
attribute  parameter.  A carriage  return  brings  the  terminal  to  edit 
mode  and  the  command 

se 

saves  and  ends  the  edit  session.  To  learn  more  about  the  PROC 
statement  in  TSO  please  consult  the  TSO  Command  Language  Reference. 
When  one  wants  to  call  the  editor  one  types  in  the  exec  command 
specifying  the  file  name  and  member  name  like  so: 

exec  x(e)  ’<filename><membername>^ 

The  terminal  will  be  returned  to  you  in  Edit  mode  for  the  member 
specified,  or  input  mode  if  NEW  is  specified  in  the  CLIST. 

In  order  to  run  jobs  through  RJE  one  must  have  JCL  card  images 
on  disk  and  accessible  to  the  terminal.  The  CNTL  PDS  is  the  data 
set  which  will  contain  the  JCL  necessary.  In  order  to  place  the  JCL 
into  members  of  the  PDS  one  uses  the  EDIT  command  to  create  the 
new  member: 

edit  cntl(<membername>)  cntl  new  nonum 
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Now  the  terminal  is  in  input  mode  and  one  can  enter  the  JCL  and, 
when  necessary,  any  other  information  such  as  compiler  or  linkage 
editor  control  records  and  setup  records.  Here  is  a sample  scenario 
where  members  of  the  CNTL  PDS  are  created  for  scrunching  a program 
called  WHITES  (which  contains  internal  procedures)  and  compiling  it 
with  already  scrunched  NOFORN  (a  context  block) , WHYNOT  (another 
context  block),  SEARCH  (a  stand  along  procedure),  APPENDI  (which  has 
internal  procedures)  and  APPENDS  (another  stand  alone  procedure)^ 
all  of  which  are  in  the  SUE  file  ’ JAL. SYSPROC’ . <CR>  means  that 
the  carriage  return  button  is  pushed  after  a line  is  entered.  The 
command  SE  saves  the  input  and/or  changes  and  exits  from  the 
command  EDIT. 

1)  Make  a Job  Card 

Command:  edit  ’ ts0999. cntl (jobcard) ’ cntl  new  nonum 

Input:  //TS0999A  JOB  (7070, D73,  DESK) , ’LARKINS  JA* ,CLASS=D 

//  REGION=256K,TIME=(,20) ,NOTIFY=TS0999 

<CR> 

Command:  se 

2)  Scrunch  both  the  DATA  and  PROGRAM  blocks  of  WRITES 


Command:  edit  ’ ts0999. cntl(SWRITES) ’ cntl  new  nonum 


Input: 

//SCRUNCHD 

EXEC 

SUES , FILE= ' JAL . SYSPROC ' , 
MEMBER- WRITE SD , TSOID=TS0999 

//SCRNCHP 

EXEC 

SUES , FILE= ' JAL . SYSPROC ' , 
MEMBER-WRITSP , TSOID=TS0999 

<CR> 

Command : 

se 

3)  Compile  the  program  and  produce  only  diagnostics  and  listing. 

Command:  edit  ’ ts0999.  cntl(cmpwrite)  ’ cntl  new  nonum 

Input:  //CMPWRITE  EXEC  SUEC,FILE=’ JAL.SYSPROC’ 

DATA  NOFORN-7  L (no  listing) 

DATA  WHYNOT 

DATA  WRITES  D (sysbol  and  type  table  listed) 

DATA  SEARCH 
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DATA  APPENDI 
DATA  APPENDS 
PROGRAM  APPENDI 

PROGRAM  WRITES  DE  (Emitted  Code,  Symbol  table 

and  type  table  listed) 

<CR> 

Command : se 

4)  Submit  the  job  through  RJE 

Command:  sub  (cntl(jobcard)  cntl(swrites) cntl(cmpwrite) ) 

A HASP  job  number  will  be  returned  by  the  system  and  should  be 
copied  down  for  use  by  the  STATUS  command  and  other  commands  which 
are  outlined  in  the  Facility  Manual. 

If  the  programmer  wanted  to  link  edit  the  object  code  and  store 
it  the  following  step  would  replace  step  3. 

Command:  edit  ' ts0999. cntl(cmpwrite) ' cntl  new  nonum 

Input:  //CMPWRITE  EXEC  SUECL,FILE=' JAL. SYSPROC ,MEMBER=WRITES 


DATA  NOFORN  'L 
DATA  \^^HYNOT  'L 
DATA  WRITES  D 
DATA  SEARCH  ' L 
DATA  APPENDI  L 
DATA  APPENDS  'L 
PROGRAM  APPENDI  ' L 
PROGRAM  WRITES  E 


The  link  edited  object  code  will  be  stored  in  the  member  WRITES 
of  the  LINKLIB  PDS.  The  submit  command  would  look  the  same. 

If  the  programmer  had  finally  coded  his  whole  system  of  proce- 
dures and  placed  each  of  their  object  codes  in  the  LINKLIB  PDS 
and  wanted  to  obtain  fully  link  edited  object  codes  s/he  would  code 
the  following  JCL. 

We  assume  that  the  members  WRITEN,  SPVRGATE,  CHANGED,  lYPYE,  READS 
and  READN  are  members  of  LINKLIB. 
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Command: 

edit  ’ ts0999 . cntl(f ileproc) ’ cntl  new  nonum 

Input: 

//LINKED 

EXEC  SUEL , FILE= ’ JAL . SYSPROC ' ,MEMBER=FILEPROC 

INCLUDE 

SYSLIB(SPVRGATE) 

INCLUDE 

SYSLIB (WRITES) 

INCLUDE 

SYSLIB (WRITEN) 

INCLUDE 

SYSLIB (READS) 

INCLUDE 

SYSLIB (REDN) 

INCLUDE 

SYSLIB (ITYPE) 

INCLUDE 

SYSLIB (CHANGEB) 

/* 

<CR> 

Command : 

se 

Now  to  submit  the  job  the  programmer  will  issue  the  following 
command: 


SUBMIT  (CNTL(JOBCARD)  CNTL(FILEPROC) ) 

If  the  programmer  wants  to  delete  any  members  from  the  PDS  on  the 
PUBLIC  PACK  (SOURCE, CNTL,CLIST)  s/he  must  use  the  delete  command. 
The  following  is  a command  that  deletes  CNTL  member  SWRITES. 

delete  cntl(swrites) 

The  3270  Display  Terminal 


The  FSE  subcommand  of  EDIT  utilizes  the  3270  display  terminal 
to  its  fullest  to  ease  the  updating  of  card  images.  It  can  be  used 
to  edit  the  CNTL  and  SOURCE  PDS  members.  This  program  enables  the 
user  to  directly  change  her/his  code  on  the  screen  without  the 
mediation  of  the  insert,  delete,  and  change  subcommands.  For  more 
information  see  pp.  7-5.2  ff  of  the  facility  manual. 

The  next  section  contains  listings  of  the  JCL  for  SUE  Procedures. 
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//SUEALLOC  PROC 


//IEFBR14 

EXEC 

PGM=IEFBR14, ACCT=COST 

//SOURCE 

// 

// 

// 

DD 

USIT=PUBLIC,DISP= (NEW,CATLG)  , 

DCB=  (DSCBG  = PO, EECFM  = FB,BLKSIZE  = 3120,LRECL=80) , 

SPACE=  (TEK,  (15,10,10))  , 

DSN=GTSOID..SUE.CFILE. .SOURCE 

//DATA 

// 

// 

DD 

UNIT  = PACK, VOL= ( PRI V ATE , S EE= EP500 6) ,DISP=  (NEW, KEEP)  , 
DCB=  (BIKSIZE=2048,RECFM=F)  , SPACE= (2048 , ( 100,  100,  100) 
DSN=SUE.SFILE. .DATA 

//PROGRAM 

// 

// 

DO 

UNIT=PACK,VOL= (PRIVATE, SEE=DP5006)  ,DISP=  (NEW, KEEP) , 
DCB= (BLKSIZE=2048,EECFM=F) , SPACE= ( 20 48 , (50,50,50)) , 
DSN=SUE.&FILE. .PROGRAM 

//LINKLIB 

// 

// 

// 

DD 

UNIT=PACK,VOL= (PRIVATE,SEE=EP500  6)  , DISP=  (NEW, KEEP)  , 
DCB= (DSORG=PO,RECFM=U, BLKSIZE=7294) , 

SPACB= (TRK, (20,10,10))  , 

DSN=SUE.6FILE. .LINKLIB 

//CNTL 

// 

// 

// 

DD 

UNIT  = PUBLIC, DISP=  (NEW,CATLG)  , 

DCB= (DSCRG=PO,  EECFM  = FB, BLKSIZE=2000, LEECL=80) , 

SPACE=  (TEK, (5,5,10) ) , 

DSN=STSOID..CNTL 

//X 

// 

// 

// 

DD 

UNIT=PUBLIC, DISP=  (NEW, CAT  LG) , 

DCB= (DSOEG=PO,RECFM=VB,BLKSIZE=1680, LEECL=255) , 
SPACE=  (TRK,  (1,1,2))  ,. 

DSN=&TSOID.. X. CLIST 
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//SUEAS 

PROC 

SCANNER^SCRUNCH, JOENAME=SUEGROUP,SCROUT=DUMMY 

//ALTER 

EXEC 

PGM=WL SALTER, ACC T=COST 

//STEPLIB 

DD 

DSN=SUE.  DISTRIB.  LCADMOD,  DISPOSER 

//SYSPRINT 

DD 

SYSOUT=A 

//SYSUCUWP 

DD 

SYSOUT=A 

//PRINT 

DD 

SYSOUT=A 

//IN 

DD 

UNIT  = PACK, VOL=  (PRIVATE ,SER=DP5 006)  ,DISP=SHR, 

// 

DSN=SUE.&FILE. . SOU RCE ( &M EM E ER) 

//OUT 

DD 

UNIT  = PACK,VOL=  (PRIVATE, SER=EP5006) ,DISP= (OLD, PASS)  , 

// 

DSN=SaE.&FILE. •SOURCE (&MEMBER) 

//* 

//* 

//SCRUNCH 

EXEC 

PGM=XMON, REGION^IOOK, 

// 

PARM=' FREF=30000, JCENAME=&JOENAME« , ACCT-COST 

//STEPLIE 

DD 

DSN=SUE.DISTRIB.LOADMOD,DISP=SHR 

//PROGRAM 

DD 

DSN=SUE*  DISTRIB, &SCANNER, DISP=SHR 

//SYSPRINT 

DD 

&SCROUT 

//SYSPONCH 

DD 

DUMMY 

//FILE1 

DD 

VOL=  (PniVATE,SER  = DP5006)  , DSN  = S0E • 6FI LE. . PROGRAM, 

// 

UNIT^PACK, DISP=OLD, 

//PILE2 

DD 

VOL=  (PRIVATE,SER=DP5006) , DSK=S OE.  SPILE,  .DATA, 

// 

UNIT=PACK, DISP^OLD, 

//PILE6 

DD 

VOL=  (PRIVATE,SER=DP500  6) , DSN^SUE.S FILE,  • PROGRAM, 

// 

UNIT=PACK,DISP=OLD, 

//PILE? 

DD 

VOL=  (PRIVATE ,SER-DP 500 6) , DSN -S DE • SPI LE. . DATA , 

// 

ONIT=PACK,riSP=OLD, 

//OUTPUTS 

DD 

DSN=S&MODNAME,UNIT=SYSDA,DISP= (MOD, PASS)  , SPACE- (TBK, 1)  , 

// 

DCB=BLKSIZE=80 

//SYSIN 

DD 

DSN=*,  ALTER,  OUT,DISP=SHR 
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//SUESC  PROC 
// 

//SCRUNCH  EXEC 
// 

//STEFLIB  DD 
//PROGRAM  DD 
//SYSPRINT  DD 
//SYSPUNCH  DD 
//FILE1  DD 
// 

// 

//FILE2 
// 

// 

//FILE6 
//FILE? 
//OOTPUT3 
// 

//♦ 

//* 

//SUE 
// 

//STFPLIB  DD 
//PROGRAM  DD 
//SYSPRINT  DD 
//FILE1  DD 

//FILE2  DD 

//OUT PUT  3 
// 

//SYSIN 


DD 


DD 

DD 

DD 


EXEC 


DD 


DD 


SCANNER=SCRUNCH, SCROUT=DUMMY, VERSION=SUE1 1 , 

FREEST  2000  ^ JOB NAME=SUEG ROUP, CNTRLD=60000 
PGM=XMON,REGION=100K, 

PARM= • FREE=30000, JOBNAME=e JO  ENAME* , ACCT=COST 

DISP==SHR,  DSN=SUE  .D I SIR  IB.  LOADMOD 

DISP  = SliR,DSN  =SUE.DISTRIB.  6SCANNER 

SSCROUT 

DUMMY 

DSN-=SST0KENS1,UNIT-^SYSDA,DISP-  (MOD, PASS)  , 

SPACE=  (TRK,  (10,5,17) ) , 

DCB= (DSORG=PO,RECFM=F,DLKSIZE=2048) 
DSN=&6TCKENS2,UNIT=SYSDA,DISP=  (MOD, PASS)  , 

SPACE=  (TRK,  (10,5,17) ) , 

DCD=  (DSORG=PO,RECFM  = F,BLKSIZE  = 2048) 

DUMMY 

DUMMY 

DSN=eBMCDNAMF,UNIT=SYSDA,DISP= (MOD, PASS)  , SP ACE=  (TRK, 1 ) , 
DCB=BLKSIZE=80 


PGM=XMON,REGION=310K,COND= (C ,LT, SCRUNCH) ,ACCT=COST, 
PARM=  * FRFE=6FREE,C0N?R0LD=SCNTBLD, JOENAM  F = 6JOBNAME« 
DISP^SHR, DSN^SUE.DISTRID. LOADMOD 
DISP=SHR ,DSN=SUE .DISTRIB.SVERSION 

SYSOUT=A,DCB= ( RECFM= FB A , LRECL= 1 33 , BLKS 12 £= 532 , BUFNO=2) 
DSN=*. SCRUNCH. FILE1,DISP= (OLD, PASS) 

DSN=*. SCRUNCH.FILE2,DISP= (CLD, PASS) 
DSN=66SYSLIN,UNIT=SYSDA,DISP={MOD ,PASS) , 

SPACE=  (TRK, (20,5))  , DCB= ( RECFM= F B, LR ECL=80, BLKSIZE*800) 
DSN=66MODNAME, DISP=  (OLD, DELETE) 
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//SUES 

PROC 

SCANNER^SCRUNCH, JOBNAHE=SUEGROUP 

//SCRUNCH 

EXEC 

PG M=X MON, REG ION= 100 K, ACCT= COST, 

// 

PARH  = * FREE  = 30000, JOBNAHE=&JOBNAHE« 

//SllEPLIB 

DD 

DSN=S0E. DISTRIB. LOADHOD, DISF=SHR 

//PROGRAM 

DD 

DSN=SUE.DISTRIB.&SCANNER, CISP=SHR 

//SYSPRINT 

DD 

DUMMY 

//SYSPONCH 

DD 

DUMMY 

//FILE1 

DD 

VOL=  (PRIVATE,SER=DP500  6)  ,D SN=SUE . SFI LE .• PROGRAM , 

// 

UNIT=PACK,DISP=OLD 

//PILE2 

DD 

VOL-  (PRI VATE,SER=DP500  6)  , DSN=SUE. S FILE, • DATA, 

// 

ONIT=PACK,DISP=OLD 

//FILE6 

DD 

VOL=  (PRIVATE, SER=DP5006)  , DSN=S UE. & FILE. • PROGRAM, 

// 

UNIT=PACK,DISP=OLD 

//FILE7 

DD 

VOL=(PRIVATE,SER=DP5006)  ,D SN=S UE . 5FILE . . DAT  A, 

// 

UNIT=PACK,DISP^OLD 

//OUTPUTS 

DD 

DSN^&EMODNAME, UNIT=SYSDA ,DISP=  (MOD, PASS)  , SPACE*  (TRK, 1)  , 

// 

DCB=BLKSIZE*80 

//SYSIN 

DD 

DSN=&TSOID.. SUE. &FILE. .SOURCE (5MEHBER) ,DISP*SHR 
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//SUEC 

PROC 

VEPSION=SnEl 1 , FREE=12000, 

// 

JOBNAME=SUEGROUP ,CNTELD=60000,  SYS  = P7070 

//SUE 

EXEC 

PGM=XMON, REGION=310K,ACCT=COST, 

// 

PARM=*  FREE=6FPEE,CONTROLD=6CNTRLD, J0ENABE=6J0BNAME' 

//STEPLIB 

DD 

DSN=SUE.DISTRIB. LCAD«OD,DISP=SHR 

//PROGRAM 

DD 

DSN=SUE.DISTRIB.6VEHSION,DISP=SHR 

//SfsPRINT 

DD 

SYSOOT=A,DCE= (RECFM=FBA,LRECL= 133, BLKSIZE=532, BUFNO=2) 

//FILE1 

DD 

VOL= (PRIVATE,SER  = DP5006) , DSN=SBE . 6 FILE. .PROGRAM , 

// 

UNIT=P ACK, DISP=SHR 

// 

DD 

VOL=  (PRIVATE,SER  = DP5006)  ,DSN=SUE.6SYS. .PROGRAM, 

// 

UNIT=PACK,DISP=SHR 

//FILE2 

DD 

VOL=  (PRIVATE, SER=DP 5006) , D SN=SaE . 6FI LE . . DAT A , 

// 

ONIT=PACK,DISP=SHR 

// 

DD 

VOL= (PRIVATE, SER=DP 5006) ,D SN=SUE . 6S YS. . D AT A , 

// 

0NIT=PACK,DISP=SHR 

//OCTP0T3- 

DD 

DSN=6eSYSLIN,DISP=( HOD, PASS) ,UNIT=SYSDA, 

// 

SPACE=  (TRK,  (20,5) ) , DCB=  (RECFH=FB, LEECL  = 80, BLKSIZE=800) 
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//SUECL 

PROC 

// 

//SUE 

EXEC 

// 

//STEPLIB 

DD 

//PROGRA?! 

DD 

//SYSPRINT 

'dd 

//FILE1 

DD 

// 

// 

DD 

// 

//FILE2 

DD 

// 

// 

DD 

// 

//OOTPUT3 

DD 

// 

//* 

//* 

//LKED 

EXEC 

// 

//STEPLIB 

DD 

//SYSPRINT  DD 

//SYSLIN 

DD 

// 

DD 

//SYSUT1 

DD 

//SYSLMOD 

DD 

// 

//SYSIN 

DD 

VERS I0N=SUE1 1 ,CNTRLD=60000 , 

FREE=12000,JOBNAHE=SUEGROUP,SYS=P7070 
PGH=XHCN,REGION=310K, ACCT=COST, 

PARH  = ' FREE=f>FREE,C0NTR0LD  = 6CNTRLD, J0ENAME=6 JOBNAHE' 

DSN=SUE. DISTPIB. LOADHOD, EISP=SHR 
DSN  = SUE.DISTRIB.  6VERSIO!! , DISP=SHR 

syS0UT  = A,DCB=  (RECFK=FBA,LRECL=13  3,BLKSI2E=532,B0FN0=2) 
VOL= (PRIV ATE,SER  = DP5006) ,CSN=SUE.6FILE..  PROG RAH, 
UHIT=PACK,DISP=SHR 

VOL=(PRIVATE,SER  = DP5006),DSN=SUE.6SYS.  .PROGRAM, 
nNIT=PACK, DISP=SHR 

VOL=  (PRIVATE, SER=DP5006) , DS N = S BE. 6 FILE . . DA TA , 
aNIT=PACK, DISP=SHR 

vbL=  (PRIVATE, SER=DP5006) , DSN=S BE. 6 S YS. . DAT A , 
BNIT=PACK,DISP=SHR 

DSN=66SYSLIN,DISP= (HOD, PASS) ,BNIT=SYSDA, 

SPACE=  (TRK, (20  ,5) ) , DCB=  (RECFH= F E, LRECL=80 , BLKSI2E=800) 

PGM=IEWL ,REGI0N=96K,C0ND= (0,LT,SBE)  , 
PARH=(XREF,LIST,NCAL) ,ACCT=COST 
DSN=SBE.DISTRIB. LOADHOD, BIS P=S HR 
SYSOBT=A 

DSN=*. SBE.OBTPOT3,DISP= (OLD, DELETE) 

DDNAHE=SYSIN 

DSN=66SYSBT1 , USI T=SYSD A , SP ACE=  (TRK,  (50 ,5) ) 

BNIT=PACK, VOL= (PHI V ATE , S ER=DP500 6) , DISP=OLD, 

DSN  = S0E.SFILE. .LINKLIB  (6MEHBER) 

DBMHY 
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V/SCEL 
//1.K2D 
//SYS  PE  I ST 
//SYSLIS 
//SYSLBOD 
// 

//SYSUT1 

//SYSLIE 

// 


PROC  SYS=P7070 

EXEC  PG«=IEHL,FAHM= 'XEEF,LIST'  , ACCT  = COST 
DD  SYSOUT=A 
DO  DDNAHE=SYSIN 

DD  UNIT=PACK, VOL= (PRIVATE ,SEE=DP5006) ,DISF=CLD, 
DSN=SUE.SSYS.. LINKLIE(£HEHBEE) 

DD  UNIT=  (DISK,SEP=sySL«OD) ,S P ACE= ( 1 0 24,  (200,20) ) 

DD  VOL=  (PRIVATE, SEE=DP5006) , DSN  = S0E.S FILE. . LINKLIB , 
ONIT=PACK,DISP=SHE 
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//SUESCBTH  PROC 

//IEFBR14  EXEC  PGM=IEFBE1 4, ACCT=COST 

//CNTL  DD  DISP=(OLD, DELETE) ,DSN=6TSOID..CNTL 

//X  -DD  DISP={CLD, DELETE) ,DSN=eTSOID..X.CLIST 

//SOURCE  DD  DISP=  (OLD, DELETE) ,DSN=6TS0IE.. SUE. 6F1LE. .SOURCE 

//PBOGHiH  DD  DISP={OLD, DELETE) , UNIT=PACK, VOL= (PRI VATE , SEE*DP500 6) , 

//  DSN-SUE.6FILE. .PROGRAM 

//DATA  DD  DISP= (OLD, DELETE) ,UNIT=PACK,VOL» (PRIVATE, SEE=DP5006) , 

//  DSN*SDE.6FILE. .DATA 

//LINKLIB  DD  DISP= (OLD, DELETE) , Ul(IT= PACK, VOL» (PRIVATE, SER=DP5006) , 
//  DSN=SUE.6FILE.. LINKLIB 
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PDP-11/45  Interrupt  Vectors  and  Control  Registers  - 2 June  1975 


Definition 


Octal  Hex 


Interrupt  Vectors 


Reserved 

0 

0 

Time  Out,  Bus  Error,  Odd  Address,  Stack  Violation 

4 

4 

Reserved  Instruction 

10 

8 

Debugging 

14 

E 

lOT 

20 

10 

Power  Fail 

24 

14 

EMT 

30 

18 

TRAP 

34 

1C 

Dec  Writer  In  (BR4) 

60 

30 

DEC  Writer  Out  (BR4) 

64 

34 

Programmable  Real-Time  Clock  (KWll-P,  BR6) 

104 

44 

General  Purpose  DMA  Interface  (DRll-B,  BR5) 

124 

54 

Line  Printer  Control  (LSll,  BR4) 

200 

80 

Disk  Control  (RFll,  BR5) 

204 

84 

DEC  Tape  Control  (TCll,  BR6) 

214 

8C 

Magnetic  Tape  Control  (TMll,  BR6) 

224 

94 

Card  Reader  Control  (CRll,  BR6) 

230 

98 

Programming  Interrupt  Request 

240 

AO 

Memory  Management  Unit  Traps  and  Violations 

250 

A8 

DIVA  Disk  (BR5) 

254 

AC 

Start  of  Floating  Vectors  (BR5  unless  otherwise 

noted,  each  device  has  a pair  of  vectors  - 
in  and  out) 

Telterm  #1  Control  (BR4) 

300 

CO 

Telterm  #2  Control  (BR4)  (BR-90  Lab) 

310 

C8 

Asynchronous  Line  Interfaces  (DCll-DA) 

//I 

320 

DO 

#2 

330 

D8 
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Definition 


Octal 


Hex 


#3 

340 

EO 

H 

350 

E8 

Synchronous  Interface  (DPll-DA)  BR90 

360 

FO 

TTY 

370 

F8 

End  of  Floating  Vectors 

377 

FF 

Control  Registers 

TTY  (4  registers) 

760160 

3E070 

DIVA  Disk  (8  words) 

764000 

3E800 

Programmable  Read-Time  Clock  (KWll-P)  Secure  Mode 

Count  and  Status 

770540 

3F160 

Count  Set  Buffer 

770542 

3F162 

Counter 

770544 

3F164 

Supervisor  Segmentation  Registers 

I Space  Descriptor  Registers  (0-7) 

772200 

3F480 

D Space  Descriptor  Registers  (0-7) 

772220 

3F490 

I Space  Address  Registers  (0^7) 

772240 

3F4A0 

D Space  Address  Registers  (0-7) 

772260 

3F4B0 

Kernel  Segmentation  Registers 

I Space  Descriptor  Registers  (0-7) 

772300 

3F4C0 

D Space  Descriptor  Registers  (0-7) 

772320 

3F4D0 

I Space  Address  Registers  (0-7) 

772340 

3F4E0 

D Space  Address  Registers  (0-7) 

772360 

3F4F0 

General  Purpose  DMA  Interface  (DRll-B) 

Word  Count 

772410 

3F508 

Bus  Address 

772412 

3F50A 

Status  and  Command 

772414 

3F50C 

Data  Buffer 

772416 

3F50E 

11/45  SSR3 

772516 

3F54E 
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Definition 


Octal 


Hex 


Magnetic  Tape  (TMll) 


Status 

772520 

3F550 

Control 

772522 

3F552 

Byte  Counter 

772524 

3F554 

Memory  Address 

772526 

3F556 

Data  Buffer 

772530 

3F558 

Read  Lines 

772532 

3F55A 

Programmable  Real-Time  Clock  (KWll-P) 

Normal  Mode 

Count  and  Status 

772540 

3F560 

Count  Set  Buffer 

772542 

3F562 

Counter 

772544 

3F564 

Bootstrap  Loader 

Disk  (RFll) 

773100 

3F640 

DEC  Tape  (TCll) 

773120 

3F650 

Magnetic  Tape  (TMll) 

773126 

3F65E 

Asynchronous  Line  Adapters  (DCll-DA, 

4 registers  each) 

#1 

774000 

3F800 

#2 

774010 

3F808 

#3 

774020 

3F810 

#4 

774030 

3F818 

Synchronous  Interface  (DPll-DA,  6 
registers/8  bytes)  BR90 

774770 

3F9F8 

Line  Printer  (LSll)  Secure  Mode 

Status 

775564 

3FB74 

Data  Buffer 

775566 

3FB76 

Telterm  #1  (4  registers) 

776160 

3FC70 

Telterm  #2  (4  registers)  (BR-90  Lab) 

776560 

3FD70 
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Definition 


Octal 


Hex 


Card  Reader  (CRll) 


Status 

777160 

3FE70 

Data  Buffer 

777162 

3FE72 

Data  Buffer 

777164 

3FE74 

DEC  Tape  (TCll) 

Control  and  Status 

777340 

3FEE0 

Command 

777342 

3FEE2 

Word  Count 

777344 

3FEE4 

Bus  Address 

777346 

3FEE6 

Data  Register 

777350 

3FEE8 

Disk  (RFll) 

Control  Status 

777460 

3FF30 

Word  Count 

777462 

3FF32 

Current  Memory  Address 

777464 

3FF34 

Disk  Address 

777466 

3FF36 

Disk  Error  Status 

777470 

3FF38 

Disk  Data  Buffer 

777472 

3FF3A 

Maintenance 

777474 

3FF3C 

Address  of  Disk  Segment 

777476 

3FF3E 

Line  Printer  (LSll)  Nornal  Mode 

Status 

777514 

3FF4C 

Data  Buffer 

777516 

3FF4E 

DEC  Writer  (4  registers) 

777560 

3FF70 

Console  Switch  Register 

777570 

3FF78 

11/45  SSRO 

777572 

3FF7A 

11/45  SSRl 

777574 

3FF7C 

11/45  SSR2 

777576 

3FF7E 

User  Segmentation  Registers 

I Space  Descriptor  (0-7) 

777600 

3FF80 

D Space  Descriptor  (0-7) 

777620 

3FF90 
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Definition 


Octal 


Hex 


I Space  Address 

(0-7) 

777640 

3FFA0 

D Space  Address 

(0-7) 

777660 

3FFB0 

11/45  PIRQ  Register 

777772 

3FFFA 

11/45  Stack  Limiter  Register 

777774 

3FFFC 

CPU  Status  (PSW) 

777776 

3FFFE 

270 


ADDENDA 
FLOW  CHARTS 


271 


C ) 


111 


273 


274 


0 

ro 

d 

tn 

1 

CD 


275 


276 


277 


Q create  ^ 


(] 


NEW  SEG  CLASS  < 

PARENT  SEG'S  CLASS 

* S 

NEW  SEG  CAT 

DOES  NOT  INCLUDE 
PARENT  SEG'S  CAT 

I 

SIZE  NOT  WITHIN 

H 

LIMITS 

OFFSET  NOT  A 

FREE  DIRECTORY 
ENTRY 

N 

. CLASS  >=. 

AST- GLASS 
; ASTE 
iST_  GLASS  MASK 


RETURN 

ERROR 


) 


WRITE  DIRECTORY 
ENTRIES  FOR  NEW  SEG 
DIR_TYPE  = SEG_TYPE  I 
UNINITIALIZED  I CLASS 
DIR_CAT  = CAT 
D1R-DISK=  DISK. ADR 
DIR_SIZE=SIZE 


c 


RETURN  OK 


278 


(D 

CJ 

o’ 

tn 

r 

CD 


Y aj\ST_UNLOCK  (ASTE^4«0a 

^AST-  UNLOCK-MASK 
= UNLOCK-FLAG'' 


SEGMENT  IS  IN  ACTIVE  SPACE  OF 
PROCESS',  DISABLE  IT 

I ~ 

TO  REG4S- 


REO  # +1 


279 


(O 

00 

d 

m 

I 

CO 


281 


282 


283 


284 


^D^ETE  SEG^ 


(VJ 

CVJ 

o 

m 


m 


285 


m 

<M 

o' 

If) 

I 

CQ 


286 


287 


288 


RETURN 


V. 


as 

ca 

d 

IT) 

I 

CD 


289 


290 


<T> 

ip 

d 

\n 

I 

m 


291 


292 


293 


c 


IT) 

00 

CJ 

o“ 

in 

I 

oo 


SEGMENT  IS  NOT  IN 
USERS  MEMORY  SPACE 


AST-CPL  ( ASTE  -#)  8 
'WIRED.DOWN  MASK=n 
WIRED- DOWN 


N 


ADJUST  USERS  MEMORY  QUOTA 
PS-MEM.QUOTA=  PS.  MEM 
QUOTA  MINUS  AST.SIZE  (ASTE  #) 


294 


GATE 


(0 

o 

ro 

o” 

ID 

I 

CD 


295 


GETOIB  ^ 


(O 

C\J 

d 

>o 

I 

m 


296 


297 


USER  HA' 
WRITES*  READ  6^ 
EXECUTE. ACCESS ■ 
'^TQ  THE  ACL 


298 


299 


PLACE  FIRST 
IN  LIST 
POSITION  = 0 


FIND  END  OF  LIST 
POSITION  = DIR-ACL 
HEAD  (OFFSET) 


• ACL.CHAIN 
"( POSITION  ) = 0" 
''ACL-USER  ( ACL.CHAIN" 
(POSITION)) 
a ACL-USER. MASK= 
ALL-USERS 


POSITION  = 
ACL.CHAIN  (POSITION) 


FILL  IN  NEW  ELEMENT 
ACL-USER  (ACLE  *)  = 
USER  MODE  ACL- 
PROJECT  (ACLE  * ) = 
PROJECT 


300 


CJ 

o" 

m 

I 

CD 


301 


iT) 

o 

m 

O 

in 


m 


302 


INITSEG  ^ 


303 


note:  ALL  INTERRUPT  HANDLERS  LISTED  IN  GATE  WORK 
THE  SAME  WAY. 


C 


INTERRUPT 


) 


(! 


KERNEL-ENTRY 


) 


V THE  DEVICE  SEMAPHORE 

TO  NOTIFY  THE  WAITING 
PROCESS 

! 

( 


CALL  V 


c 


) 


KERNEL-EXIT 


c 


RETURN 


3 


O 

ro 

o“ 

in 

I 

(D 


304 


— 

rO 

O* 

in 

I 

CO 


ANYTHING  THERE  ? 


305 


(iPCSEND  ) 


PT.FLAGSIPROCESS#) 


306 


307 


IB-  50,298 


308 


cn 

cn 

eg 

O 

ir> 

I 

CD 


309 


CZZ) 


310 


c 


PCHECK 


X 


3 


FUNCTION-CODE  - APARM  > 


311 


312 


PARM.FLAGS 


313 


314 


315 


316 


317 


cn 

CM 

d 

m 

i 

03 


318 


|1B“50,266"| 


319 


( SOADD  ^ 


320 


ir> 

CVJ 


O 

in 

I 

CD 


DESCRIPTORS  FOR  THE_ 
CURRENT_PROCESS  RESTORED 

IN  KSR2 

( RETURN  ^ 


321 


op 

fO 

o' 

in 

I 

m 


Q STflRTp"^ 


322 


MOVE  THE  PROCESS  # INTO 
] TEMPORARY  REGISTER  # 3 
(TEMP^«t  3) 


DECREMENT  AND  TAKE 
THE  NEGATIVE  OF  THE 
PROCESS  (TEMP-!«t3) 


■,  MOVE  THE  NUMBER  “4000'' 

J INTO  TEMP  -#0 

^ MOVE  THE  NUMBER  “BFFF" 

; INTO  TEMP  * I 

IF  TEMP  ^ POSITIVE  LEFT  SHIFT 
\TEMP^(to,  TEMP^«fr3  TIMES. 

J OTHERWISE  RIGHT  SHIFT 
TEMP^tf-S  TIMES 
LEFT  OR  RIGHT  SHIFT  TEMP^<t| 

} TEMP  3 TIMES  IF  TEMP-#:  3 
POSITIVE  OR  NEGATIVE,  RESPECTIVELY 

1 PUT  THE  CONTENTS  OF  TEMP  #-0 
/INTO  PS-PROCESS-MASK 

-.PUT  THE  CONTENTS  OF  TEMP  #:  I 
/INTO  PS- PROCESS -NOT- MASK 


323 


o 

CNJ 

m 

o" 

in 

OQ 


324 


325 


OJ 

to 

d 

in 


326 


OJ 

OJ 

fO 

d 

in 

I 

oa 


327 


328 


-50,312 


329 


330 


00 

00 

csj 

d 

If) 

I 

03 


331 


( SWAPOUT  ^ 


332 


IB-50,315 


PUT  ON  FREE  CHAIN 

MBT.CHAIN  (BLOCK#)=MBT-CHAIN  (INDEX) 

MBT.CHAIN  (INDEX)=BLOCK#  IFREE.MEM 


333 


334 


1 


f 


(RETURN  ^ 
ERROR  Jr 


SEG  IS  NOT 

N 

r 

A DIRECTORY 

RETURN 

ERROR 


SEG  NOT  ON 

r 

WAL 

SEG  IN  MAIN 
MEMORY 


SEG  IN  MAIN 

1 MEMORY 

.....  ^ 

(^CALL  LSD  ^ 

! 

SEG  DESCRIPTORS  LOADED 
IN  DIR.KSD-ADR 

ACCESS  MODE  = 
SDR.WRITE. ACCESS 

1 

CHANGE  BIT 
INSURE  DISK 
SWAP  OUT  T 

CHANGED  TO 
WRITE  AT 

IME 

c 


RETURN  OK 


D 


335 


